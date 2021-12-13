The vulnerability was discovered by the security team of Alibaba Cloud , and communicated it to Apache in the past November 24 . For this reason, Apache communicated it on the 10th together with the launch of the software that solves the vulnerability. It also affects some configurations of Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others.

Despite the fact that most of the services we use on a daily basis have left Java aside for logging in, there are many that still use them. For example, it is still used to access Minecraft. A multitude of programs for companies, web apps and server software from companies such as Apple , Amazon , Cloudflare, Twitter and Steam they also use it.

In recent days we have known a serious vulnerability that has been called Log4Shell , or LogJam . A day after learning about it, a proof of concept exploit was published to exploit this zero-day vulnerability. The vulnerability affects the login system of Apache Log4j , based on Java . Its severity is one of the highest, as it is an unpatched vulnerability that allows code to be remotely executed on affected devices.

Following the publication of the exploit on GitHub, multitudes of hackers have begun to scan internet in search of vulnerable systems. If a service’s login system uses a version affected by the bug, an attacker can access the service without authentication.

All available solutions for the failure

The bug, with code CVE-2021-44228, affects all versions of Log4j 2.0-beta9 (launched in September 2013) through 2.14.1 (released March 2021). Therefore, all versions of practically the last eight years are vulnerable. The update 2.15.0 released last week already fixes the vulnerability, and all subsequent versions will be protected.

In the case of having a version between 2.10 and 2.14.1, it is possible to mitigate the failure by changing the value of «log4j2.formatMsgNoLookups»To« true », or by removing the class JndiLookup of the classpath. However, it is advisable to update as quickly as possible to avoid suffering the attacks that are being launched on systems around the world. Cybereason researchers have also released a “vaccine” package called Logout4Shell, which makes use of the vulnerability, but to change the setting that allows it to be exploited, leaving the device protected.

With these attacks, more vulnerable devices and systems will be discovered. Most of the infections that we are going to look at here will seek to introduce ransomware into systems to proceed to request ransoms in cryptocurrencies.

This weekend it was known that the Ingenuity helicopter, launched together with the Perseverance, uses Log4j. So technically, if the data packets it sends to Earth can be intercepted and decrypted, it would be possible to hack into the robot and control it remotely. However, all traffic reaching Earth is encrypted.

Due to how dangerous it can be to update software on an inaccessible device, they may decide not to patch it. The most sensible thing in this case is to make the change in the configuration of “log4j2.formatMsgNoLookups”, thus avoiding possible attacks without having to update the software.

In short, it is recommended that you update. You can find out if you are affected by the vulnerability with Log4Shell-Detector.