A zero-day attack affecting a major Java logging library has been discovered to be susceptible to a variety of prominent services, including Apple iCloud, Twitter, Cloudflare, Minecraft, and Steam. The flaw, nicknamed “Log4Shell” by LunaSec and attributed to Alibaba’s Chen Zhaojun, was discovered in Apache Log4j, an open-source logging application used in a wide range of apps, websites, and services. Log4Shell was initially identified in Microsoft’s Minecraft, but LunaSec cautions that owing to Log4j’s “ubiquitous” presence in practically all major Java-based corporate apps and servers, “many, many services” are vulnerable to this attack. The cybersecurity firm cautioned in a blog post that anyone who uses Apache Struts is “certainly vulnerable.”
Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent, and Elastic are among the companies whose servers have been verified to be vulnerable to the Log4Shell assault so far, while there are likely hundreds, if not thousands, more. Cloudflare claimed in a statement that it has improved its systems to prevent attacks and that it has seen no indication of exploitation, the NSA’s GHIDRA, a free, open-source reverse engineering tool, also affected, according to Robert Joyce, director of Cybersecurity at the agency. “The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, including NSA’s GHIDRA,” he said.
Attackers are aggressively hunting for servers vulnerable to Log4Shell assaults, according to the Computer Emergency Response Team (CERT) of New Zealand, Deutsche Telekom’s CERT, and the Greynoise online monitoring service. The latter, according to him, Around 100 different hosts, according to the latter, are scouring the internet for methods to attack the Log4j vulnerability.
This zero-day, according to Kayla Underkoffler, a senior security technologist at HackerOne, underlines the “danger that open source software provides as an increasing component of the world’s important supply chain attack surfaces,” according to.
“Open source software lays at the heart of practically all current digital infrastructures,” According to Underkoffler, “the typical application uses 528 different open source components.”
“The bulk of high-risk open source vulnerabilities revealed in 2020 has been in code for more than two years, and most firms lack direct control over open-source software inside supply chains to easily repair these vulnerabilities,” according to the report. Securing this software, which is frequently underfunded, is critical for any company that relies on it.”
The Apache Software Foundation has published an emergency security update today to address the zero-day vulnerability in Log4j, as well as mitigating instructions for individuals who are unable to upgrade right now. To remedy the flaw, game maker Mojang Studios has published an emergency Minecraft security update.