The vulnerability described by researchers from LunaSec as “Log4Shell” and Chen Zhaojun of. attributed Alibaba, was found in Apache Log4j, and Open source Logging utility used in a wide variety of apps, websites, and services. Log4Shell was first discovered in the Microsoft-owned mine, although LunaSec warns that “many, many services” are susceptible to this due to Log4j’s “ubiquitous” presence in almost all major Java-based enterprise applications and servers. In one blog entry, the cybersecurity firm warned that anyone using Apache Struts is “likely to be vulnerable”.
Companies with servers Confirmed So far, Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic are vulnerable to Log4Shell attacks, although hundreds, if not thousands, of other organizations are likely to be affected. None of the companies affected by the error has so far responded to our request for comments.
Robert Joyce, director of cybersecurity at the NSA, confirms that GHIDRA, A free and open source reverse engineering tool, developed by the agency, is also affected: “The Log4j vulnerability is a significant threat to recovery due to its widespread inclusion in software frameworks, including NSA GHIDRA,” he said.
the Computer emergency team (CERT) for New Zealand, German Telekom’s CERT, and the Gray noise Web monitoring services have warned everyone that attackers are actively looking for servers susceptible to Log4Shell attacks. According to the latter, According to the latter, about 100 different hosts to scan on the Internet for ways to exploit the Log4j security gap.
Kayla Underkoffler, Senior Security Technologist at HackerOne, told TechCrunch that this zero-day highlights the “threat that open source software poses as a growing proportion of the critical attack surfaces in the supply chain worldwide.”
“Open source software is behind almost every modern digital infrastructure, with the average application using 528 different open source components,” said Underkoffler. “The majority of high-risk open source vulnerabilities discovered in 2020 have also been in code for more than two years, and most organizations lack direct control over open source software within the supply chain to easily fix these vulnerabilities. Securing this often poorly funded software is essential for any company that depends on it. “
The Apache Software Foundation today released an emergency security update to address the zero-day vulnerability in Log4j, along with mitigation measures for those who cannot update immediately. The game developer Mojang Studios has also released an emergency security update for Minecraft to fix the bug.