H-ISAC TLP White: Log4j Vulnerability Affects Multiple Apache and Legacy Services; Exploit Code Publicly Released

Proof-of-concept exploit code for a critical zero-day vulnerability, designated CVE-2021-44228, in the Apache Log4j Java-based logging library has been released publicly, exposing enterprises and services to remote code execution (RCE) attacks by attackers.

The Health-ISAC Threat Operations Center has released a brief survey regarding your observed experiences with this vulnerability, please utilize the link here. Your assistance is greatly appreciated. This alert has additional technical details and recommendations, which can be accessed below.  

Log4j, and its successor Log4j2, are developed by the Apache Foundation and are widely used by both enterprise apps and cloud services for logging purposes. Systems and services that use Log4j between versions 2.0-beta9 and 2.14.1 are all affected by CVE-2021-44228, which includes many services and applications written in 

Java. The vulnerability allows for repeated and reliable unauthenticated remote code execution in targeted environments.

The vulnerability was first discovered in the popular Java-based game Minecraft but researchers warn that other cloud applications are also vulnerable. Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a large number of third-party apps may also be vulnerable to exploits that carry the same high severity as those threatening Minecraft users.

In analyzing CVE-2021-44228, security firm Randori determined the following:

• Default installations of widely-used enterprise software are vulnerable to CVE-2021-44228.
• CVE-2021-44228 can be exploited reliably and without authentication.
• CVE-2021-44228 affects multiple versions of Log4j 2.
  • The United States Cybersecurity and Infrastructure Security Agency (CISA) Cyber Information Sharing and Collaboration Program (CISCP) has stated that CVE-2021-44228 affects Log4j versions 2.0-beta9 to 2.14.1.
• CVE-2021-44228 allows for remote code execution as the user running the application that utilizes the library.

There already are several reports of malicious servers performing Internet-wide scans in attempts to locate vulnerable servers. Due to the ease of exploitation and the breadth of applicability, we suspect ransomware actors to begin leveraging this vulnerability immediately, said the Randori security team.

View the detailed report below.