The cybersecurity agencies of Australia, Canada, New Zealand, the United States and the United Kingdom issued a joint advisory on Wednesday in response to widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library by malicious actors.
“These vulnerabilities, particularly Log4Shell, are serious,” the intelligence agencies said in the new guidance. Cybercriminals are actively scanning networks for vulnerabilities such as Log4Shell, CVE-2021-45046 and CVE-2021-45105. These vulnerabilities will likely be exploited over an extended period of time. Log4Shell (CVE-2021-44228) can be exploited by sending a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. CVE-2021-45046, on the other hand, allows remote code execution in certain non-default configurations, while CVE-2021-45105 could be used by a remote attacker to cause a denial of service (DoS) condition ).
Since the vulnerabilities were made public this month, unpatched servers have been targeted by ransomware groups and nation-state hackers, who used the attack vector to install Cobalt Strike beacons, a crypto minerstnet malware.
Additionally, the FBI’s assessment indicates that the threat actors may have integrated these vulnerabilities into “existing cybercriminal systems that seek to adopt increasingly sophisticated obfuscation techniques.” Due to the severity of the exploits and likely increased exploitation, organizations are encouraged to identify, mitigate, and update affected assets as soon as possible.
Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner utility to identify systems vulnerable to the Log4Shell vulnerability, similar to a similar tool released by the CERT Coordination Center (CERT/ CC).
Nonetheless, Israeli cybersecurity firm Rezilion, in an assessment published this week, found that commercial analysis tools were not capable of detecting all formats of the Log4j library because the instances are often deeply nested within other codes, revealing the “blind spots” of these utilities and the limits of static analysis. As a result, it is difficult to detect Log4Shell in packaged software in production environments. Java files (such as Log4j) can be nested a few layers deep, so a superficial search of the file won’t find it, says Yotam Perkal, head of vulnerability research at Rezilion. Additionally, they can be packaged in many different formats, making them difficult to find in other Java packages.
Several technology vendors have also released patches for software containing the Log4Shell public disclosure flame. NVIDIA and HPE are the latest companies to issue security advisories, joining a long list of vendors that have released information about their products affected by the vulnerability.
The Apache Software Foundation (ASF) has released updates for Apache HTTP Server 2.4.51 to address two vulnerabilities: CVE-2021-44790 (CVSS score: 9.95) and CVE-2021-44224 (CVSS score: 8.2), including the first. could be used by a remote attacker to execute arbitrary code and take control of an affected system.