Log4j is an open-source logging tool that has been used in many apps. Several websites reported last Thursday that exploit code was released to fix a serious vulnerability in the code.
The vulnerability was first discovered by sites that cater to Minecraft users, which is the most popular game ever. Sites warned that hackers could execute malicious codes on Java Minecraft clients or servers by manipulating log messages. This includes chat messages. As Log4j was identified by the vulnerability and the exploit code posted online, the picture got more dire.
HD Moore, CTO and founder of Rumble network discovery platform, stated that the Minecraft side seemed like a storm. However, I believe we will continue to see affected devices and applications being identified for a long period. This is a huge deal for environments that are tied to older Java runtimes. Web front end for various network appliances, legacy APIs-based application environments, and Minecraft servers due to their dependence on older Java versions for mod compatibility.
Servers performing Internet-wide scans to find vulnerable servers are being reported.
Log4j can be integrated into many popular frameworks such as Apache Struts2, Apache Solr and Apache Druid. This means that many third-party apps could also be at risk from exploits of the same severity as those threatening Minecraft users.
The vulnerability was not well-known at the time of this post's publication. Github was one of the first to provide a tracking number. It stated that it was CVE-2021-44228. Cyber Kendra, a security firm, reported late Thursday that a Log4j RCE Zero was dropped on the Internet. Moore agreed that there are "many popular systems that are affected."
The vulnerability has not been disclosed by the Apache Foundation, and representatives didn't reply to an email. The Apache page acknowledges the recent fix of a serious vulnerability. Moore and other researchers believe that the Java deserialization flaw is caused by Log4j sending network requests to an LDAP server through the JNDI and then executing any code returned. This bug can be triggered by log messages that contain the $ syntax.
LunaSec also reported that Java versions higher than 6u211 and 7u201 are less likely to be affected by the attack vector. This is because the JNDI cannot load remote code via LDAP. Hackers might still be able bypass this attack vector by using classes in the target application. The success of the hacker would depend on whether any dangerous gadgets are present. Newer Java versions may still be able to prevent code execution, but this will depend on each application.
Spigot gaming forum stated that Minecraft versions 1.8.8 to the latest 1.18 release were all vulnerable. Wynncraft and other popular game servers are also at risk. Hypixel, a news site and gaming server, advised Minecraft players to be extra cautious.
Site representatives stated that the issue could allow remote access to your computer via the servers you log in. This means that any public server you log into can be hacked.
It is difficult to reproduce exploits for this vulnerability within Minecraft because success depends on both the Minecraft version and the Java framework that the Minecraft app runs on. Exploits are made more difficult by older Java versions, which have less security protections built in.
Minecraft released a new version on Friday that addresses the vulnerability.
Microsoft stated in a statement that it was aware of discussions about a Log4j remote execution vulnerability. This vulnerability could affect various Apache products across the industry. "We have taken all necessary steps to protect our customers, including rolling out a fix for Java Edition 1.18.1. Customers who apply this fix are protected."
For those who can't install the fix right away, Spigot and other sources have said that adding the JVM flag -Dlog4j2.formatMsgNoLookups=true neutralizes the threat for most Java versions. Spigot and other services have already added the flag to the games they make accessible to users.
To add the flag users should go to their launcher, open the installations tab, select the installation in use and click "..." > "Edit" > "MORE OPTIONS", and paste -Dlog4j2.formatMsgNoLookups=true at the end of the JVM flags.
This vulnerability can cause high-impact attacks against many apps and services. People should be aware of it for the moment. Minecraft users should avoid unknown servers and untrustworthy users. Open source software users should check to make sure that Log4j and Log4j2 are used for logging. This is a breaking story. If more information becomes available, updates will be made.