The Australian, Canadian, New Zealand, U.S., and U.K. cyber security agencies released a joint advisory on Wednesday in response to the widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library by malicious actors.
“These vulnerabilities, especially Log4Shell, are severe,” the intelligence agencies stated in the new guidance. Cyber threat actors are actively scanning networks for vulnerabilities such as Log4Shell, CVE-2021-45046, and CVE-2021-45105. These vulnerabilities will likely be exploited over an extended period. Log4Shell (CVE-2021-44228) can be exploited by sending a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. CVE-2021-45046, on the other hand, allows remote code execution in certain non-default configurations, while CVE-2021-45105 could be used by a remote attacker to cause a denial-of-service (DoS) condition.
Since the vulnerabilities were made public this month, unpatched servers have been targeted by ransomware groups and nation-state hackers, who have used the attack vector to install Cobalt Strike beacons, crypto minerstnet malware.
Moreover, the FBI’s assessment indicates that threat actors may have incorporated the vulnerabilities into “existing cybercriminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques.” As a result of the severity of the exploits and likely increased exploitation, organizations are being encouraged to identify, mitigate, and update affected assets as soon as possible.
In addition, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner utility to identify systems vulnerable to the Log4Shell vulnerability, similar to a similar tool released by the CERT Coordination Center (CERT/CC).
Nevertheless, Israeli cybersecurity firm Rezilion, in an assessment published this week, found that commercial scanning tools were not able to detect all formats of the Log4j library because instances are often deeply nested in other code, exposing the “blind spots” in such utilities and the limitations of static scanning. As a result, it is challenging to detect Log4Shell in packaged software in production environments. Java files (such as Log4j) can be nested a few layers deep, so a shallow search for the file will not find it, says Yotam Perkal, vulnerability research lead at Rezilion. Additionally, they may be packaged in many different formats, making it difficult to find them inside other Java packages.”
Several technology vendors have also released patches for software that contain the flame to the public disclosure of Log4Shell. NVIDIA and HPE are the latest companies to issue security advisories, joining a long list of vendors that have released information about their products affected by the vulnerability.
The Apache Software Foundation (ASF) has released updates for Apache HTTP Server 2.4.51 to address two vulnerabilities – CVE-2021-44790 (CVSS score: 9.95) and CVE-2021-44224 (CVSS score: 8.2) – the former of which could be weaponized by a remote attacker to execute arbitrary code and take control of an affected system.