Critical Apache Log4j vulnerability discovered — here's what you need to know

Late last week, a critical zero-day vulnerability in the popular Java logging library Log4j surfaced when attackers were observed exploiting Minecraft servers via the game’s chat box. It has since become clear that the vulnerability in question poses perhaps the largest security threat we’ve seen in years.

Certain details of this vulnerability, especially its scale and long-term impact, are still unfolding — but here’s what we know now.

Log4j is a highly popular, open-source Java logging library developed by the Apache Software Foundation. It introduced some basic concepts, such as hierarchical log levels, that have become standard across modern logging frameworks.

Nearly all major Java-based enterprise apps and services use Log4j, including iCloud, VMWare vCenter, Twitter, and ElasticSearch. The library has been downloaded over 400,000 times from GitHub.

This Log4j vulnerability — known by its Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44228, or simply the name Log4Shell — is a critical one that allows for unauthorized remote code execution. This means that attackers could use it to run arbitrary code on any vulnerable server. The library’s ubiquitous presence has placed countless applications — and the businesses that rely on them — at significant risk.

Log4Shell is also relatively easy for criminals to take advantage of. Attackers need only to force the vulnerable application to write a single malicious string to the log — after that, the system uses the Java Naming and Directory Interface (JNDI) for message lookup substitution, if enabled, and injects the attackers’ own code into the app. Log4j can interpret these log messages as a remote resource, fetch whatever is found at the address (for example, through LDAP or DNS), and even execute any payload it retrieves with the full privileges of the main program.

Because Apache Log4j is such a popular library, and the vulnerability is so easy to exploit, we can expect to see widespread attacks against apps and services used by millions of businesses over the coming days. Researchers are already observing the incorporation of Log4Shell into botnets and its use for activities ranging from cryptojacking to credential and data theft. Log4Shell scored a maximum severity rating (10) on the Common Vulnerability Scoring System (CVSS) scale.

This vulnerability impacts nearly every version of Apache Log4j, from 2.0-beta9 to 2.14.1. The easiest and most effective way to protect your systems is to immediately install the latest Log4j update — version 2.15.0, available now via Apache Logging Services — in which the exploitable behavior in question has been disabled by default.

“This [critical] vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a statement late last week. “The vendor community must immediately identify, mitigate, and patch the wide array of products using this software.”

If, for any reason, you cannot update all relevant systems at the moment, there are a couple of short-term mitigation options available:

• For admins running Log4j versions 2.10–2.14.1, disable message lookup substitution by setting the log4j2.formatMsgNoLookups system property or the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
• For admins running Log4j versions 2.0-beta9–2.10.0, remove the JndiLookup class from the classpath.
  
• Block or monitor all outbound connections, as well as DNS queries from potentially affected servers.
  

Note that Acronis’ solutions appear at this time to be largely unexposed to this exploit, barring unusual configurations. Still, customers are encouraged to block or monitor outbound connections as a precautionary measure. See our security advisory for further details.

The threat posed by this Apache Log4j exploit is significant — perhaps the most severe in recent years — but it’s not entirely unique.

New vulnerabilities impacting popular business applications are discovered every day, which is why it’s so critical to have a solid plan for detecting and plugging security gaps as they emerge. Speed matters: attackers, aided by increasing levels of automation, waste no time in exploiting discovered weaknesses. Because Log4j is embedded into such a wide variety of applications — each of which will require a separate update — businesses relying on vulnerable solutions face a slow remediation process that may leave them exposed for a longer period of time.

Acronis Cyber Protect Cloud enables simple, fast, and reliable vulnerability assessment and patch management functionalities. By automatically retrieving and installing critical updates as soon as they become available, the solution ensures minimal exposure time to zero-day exploits — keeping your systems and data safe from cutting-edge cyberthreats while reducing the demand on IT resources.