Here are a range of thoughts from across the security industry posted over the weekend about the Log4Shell Vulnerability…
Malwarebytes perhaps sums up the situation best with their post title; “Log4j zero-day “Log4Shell” arrives just in time to ruin your weekend”.
Given how common this library is and how serious the consequences of a relatively easy-to-exploit vulnerability can be, this is a recipe for disaster. Many organizations will not even realize they are vulnerable.
Bitdefender’s coverage; “Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately”, shows adversaries are wasting no time in identifying machines they can compromise.
Immediately after the Log4Shell PoC was released, adversaries started scanning the Internet, looking for vulnerable targets. Bitdefender honeypots are seeing attackers trying to compromise different web services. The number of total scans using Log4Shell has increased three-fold in a single day meaning we most likely are just at the beginning. While most scans don’t have a particular target, around 20 percent of the attempts seem to search for vulnerable Apache Solr services.
In light of this, the Record by Recorded Future provides good news of a patch; “Log4j zero-day gets security fix just as scans for vulnerable systems ramp up”, albeit a proof-of-concept:
The patch—part of the 2.15.0 release—fixes a remote code execution vulnerability (CVE-2021-44228) disclosed yesterday on Twitter, complete with proof-of-concept code.
Talos’ Threat Advisory; “Critical Apache Log4j vulnerability being exploited in the wild”, also describes current mitigation options (tl;dr patch aggressively).
Apache has released an updated version, Log4j 2.15.0. Talos encourages all customers to investigate their internal and third party usage of Log4j for vulnerable configurations and take remediation actions. If you are uncertain or unable to determine if your implementation is vulnerable, patch aggressively.
CVE-2021-44228 is going to continue to dominate the news headlines for sometime to come. We will be following developments in our Obstracts feeds.
Join the Signals Corps on Discord
Join our public community of intelligence analysts and researchers sharing new content hourly.
Turn any blog into structured threat intelligence.
Extract machine readable intelligence from unstructured data.
Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.
View, modify, and deploy SIEM rules for threat hunting.