Some of you may know, a severe vulnerability was discovered in Log4j, a Java logging package. This ubiquitous package is included in products such as Apache and Apple products. Worse yet, this component is so widely used — that it is believed to be within multiple components within applications.
This means that security teams worldwide are likely to be dealing with this vulnerability for a while, for years possibly. The following products are known to be affected:
- Apple
- Steam
- Tesla
- Apache applications (e.g. Apache Struts, Solr and Druid)
- Redis
- ElasticSearch
- Video games (e.g. Minecraft)
- UniFi controller platform
The impact:
The severity cannot be stated enough, exploitation can be as simple as a copy and paste of a payload. An attacker who exploits this vulnerability can gain remote access to vulnerable endpoints. This gives the attacker a foothold on a network to gain high-level privileges, on a mission-critical server, or could potentially result in a network-wide compromise.
Furthermore, this vulnerability is being actively scanned for and there are reports of active breaches involving strains of malware. Whilst there are not any high-profile reports of ransomware — it is only a matter of time.
The remediation:
Those running products with vulnerable Log4j versions should upgrade to version log4j-2.15.0.rc2 immediately. In addition, it is highly recommended to read the resource labelled “Technical information.” Huntress created a tool to identify Log4j in applications. Additionally, information is being added to their article as it is discovered.