Cybersecurity Threat Advisory: Critical Java Zero-Day Vulnerability

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week there is a new critical alert that requires the mission-critical community’s immediate attention.

Advisory Overview

A critical remote code vulnerability has emerged in Log4j, a Java logging package that is used in numerous software products and platforms from organizations like Apache, Apple, Twitter, Tesla, and Steam. This vulnerability impacts almost every Java application that writes logs using this library. Apache has released a patch for this vulnerability, which is being tracked as CVE-2021-44228. MCP recommends applying this patch immediately to protect your organization.

CVE-2021-44228 is a remote code execution (RCE) vulnerability. A cyberattacker could exploit this vulnerability to execute remote commands, which would enable them to run anything they wanted on a vulnerable device. This could lead to data leakage or even complete system compromise, which can lead to denial of service.

Because there is a proof of concept available for this vulnerability, MCP’s cybersecurity team is expecting to see more cyberattacks that attempt to exploit vulnerable users.

Why Is it Noteworthy?

As stated earlier, this vulnerability affects any application that uses Log4j for logging. This includes software from Apache, Apple, Twitter, Tesla, Steam, ElasticSearch, Redis, and many video games (such as Minecraft). This gives cyberattackers an incredibly wide scope of potential targets. This exploit’s ramifications are so large that it is being considered a “shellshock” vulnerability.

Cyberattackers always are looking out for these types of widely exploitable vulnerabilities. This RCE exploit is one of the biggest to surface recently. It is very important to keep services updated and apply patches as they are released to prevent cyberattackers from accessing and damaging your systems.

What Is the Risk?

This exploit could enable cyberattackers to execute remote code on an impacted device. RCE could lead to several possible compromises, such as data leakage, denial-of-service attacks, and even complete system compromises. Because this vulnerable library is used in so many different applications, cyberattackers are not necessarily looking for a particular target. Rather, it only takes one line of text to trigger this attack, so cyberattackers are spraying this around everywhere they can, hoping to find vulnerable applications.

If a machine is compromised, cyberattackers could gain access to sensitive information by executing arbitrary system commands and even creating or deleting files. Log4j is used for logging on many different applications, many of which are used and trusted by businesses and individuals worldwide. The expectation is that any data stored in these applications remain private and that these applications will be available to conduct everyday business. This vulnerability could put these applications at risk if exploited by cyberattackers, so it is very important to ensure that all patches are applied.

What Are the Recommendations?

The full list of impacted versions of the Log4j library is as follows:

• All Log4j 2.x versions before 2.15.0 (which was released on Friday, December 10, 2021) are affected.
• Java virtual machine (JVM) versions lower than:
  • Java 6 – 6u212
  • Java 7 – 7u202
  • Java 8 – 8u192
  • Java 11 – 11.0.2

Also, you should upgrade to log4j-2.1.50.rc2 immediately if your organization uses Apache log4j.

Additionally, it is up to certain vendors to apply this patch to their applications, so keep an eye out for any application updates. This resource is tracking vulnerable components/applications: https://github.com/YfryTchsGD/Log4jAttackSurface.

References

For more in-depth information about the recommendations, please visit the following links:

• https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
• https://logging.apache.org/log4j/2.x/download.html
• https://github.com/YfryTchsGD/Log4jAttackSurface
• https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.

Mike Beagles is MCP's director of IT and cybersecurity services. He can be reached here.