[German]The Log4Shell vulnerability in the Log4j library, which can be exploited in Java, is presumably present in many systems and software packages. The problem is likely to affect us for years to come, experts estimate, and it has not yet reached SMEs. The Department of Homeland Security (DHS) also addressed the Log4j issue again this week in a recommendation.
The Log4J vulnerability
Log4j is a JAVA library used in numerous JAVA packages. In the log4j library, the vulnerability CVE-2021-44228 was discovered in the JNDI lookup function in 2021. The JNDI lookup function of log4j allows the retrieval of variables via the JNDI – Java Naming and Directory Interface. After all, I had reported the vulnerability affecting numerous systems in the blog post 0-day CVE-2021-44228 in Java library log4j puts many projects at risk.
On December 9, 2021, a Proof of Concept (PoC) for the remote code execution vulnerability in log4j was published. The PoC requires only a few lines of code with which to write a string in the form of a URL to the log file. The directory service JNDI then contacts the LDAP server listed in the log to request data from it. This can also include Java classes, which are then executed. If an attacker succeeds in specifying the URL to a server he controls in the log file, he can hijack a server via logging (Log4Shell).
DHS warns against Log4j
Updates for vulnerability CVE-2021-44228 have been available since 2021, and (successful) attacks have also been observed in the following weeks. But many companies and authorities have not yet recognized the threat posed by the vulnerability and have not patched affected applications or devices.
Experts therefore believe that the vulnerability could be with us for decades to come, see, for example, this article from The Register and this article linked from the above tweet. The Department of Homeland Security (DHS) revisited the Log4j issue this week in a review of December 2021 events and makes recommendations.
Log4J in medium-sized companies not on the radar
The security vulnerability known as "Log4J" could still cause damage in numerous small and medium enterprises (SMEs). This is indicated by the results of a survey commissioned by the German Insurance Association (GDV). "Only 40 percent of medium-sized companies checked their software after the security vulnerability became known," says GDV CEO Jörg Asmussen. Only 28 percent of the representative SMEs surveyed by Forsa stated that they had also checked their own systems for malware that had already penetrated them.
In case of doubt, companies could also lose their cyber insurance coverage if hackers attack via a long known but still unclosed IT vulnerability. Roger Scheer, Regional Vice President for Central Europe at Tenable comments:
When Log4Shell (CVE-2021-44228) was first identified over six months ago, it shook the IT security community. The fact that over half a year later, more than half of German SMEs are still in the dark about whether it has been affected in their software and is therefore a security risk is worrying.
The problem is that while it's really difficult to sift through all the applications and services that use the vulnerable library, at the same time it's easy for criminals to exploit it if necessary. In December, when the vulnerability was first identified, Tenable's telemetry found that 10% of all assessed assets were vulnerable – that's not 10% of organizations, but 10% of the applications and associated devices used there – including a variety of servers, web applications, containers and IoT devices. One in ten elements of our digital infrastructure had the potential for Log4Shell exploitation at that time.
Given the ease of exploitation and broad attack surface available, attackers will continue to use the vulnerability to gain a foothold to trigger targeted security breaches or automate opportunistic ransomware attacks unless enterprises finally address Log4j proactively.
Cybercriminals had already exploited the Log4J vulnerability for various forms of attack. In some cases, they misused the computing power of affected systems to calculate cryptocurrencies such as Bitcoin, integrated the computers into botnets for DDoS attacks, or encrypted data to extort a ransom. In addition, there is a risk that the vulnerability was already used for an initial infection with malware before a security update has been applied. Attackers could then continue to attack IT systems even after the vulnerability has been closed. To prevent such attacks, the secured IT systems should be thoroughly checked for any malware.
0-day CVE-2021-44228 in Java library log4j puts many projects at risk
log4j vulnerability CVE-2021-44228: Patch your Minecraft
VMware products threatened by log4j vulnerability CVE-2021-44228
log4j FAQ and Repository
Belgian Ministry of Defense affected by Log4j?
QNAP firmware update version QTS 22.214.171.1241 build 20211221 and log4j vulnerability
Log4j security messages (12/28/2021)
Windows Defender: Fixes, Issues and Log4j scanner false alarms
RCE vulnerability – similar to log4j – discovered in H2 (Java) database system
Attacks on VMWare Horizon servers with log4j vulnerability
Cookies helps to fund this blog: Cookie settings