On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string.
LunaSec
Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We’re calling it “Log4Shell” for short.
The 0-day was tweeted along with a POC posted on GitHub. It has now been published as CVE-2021-44228.
This post provides resources to help you understand the vulnerability and how to mitigate it.
Lord have mercy.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said of the Apache Log4j flaw. The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.
CyberScoop
Hundreds of millions of devices are likely to be affected, said Jay Gazlay of CISA’s vulnerability management office in the call with critical infrastructure owners and operators.
Hundreds of millions!