Cybersecurity agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Wednesday released a joint advisory in response to widespread exploitation of multiple vulnerabilities in Apache's Log4j software library by nefarious adversaries.
"These vulnerabilities, especially Log4Shell, are severe," the intelligence agencies said in the new guidance. "Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period."
An attacker can exploit Log4Shell (CVE-2021-44228) by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. CVE-2021-45046, on the other hand, allows for remote code execution in certain non-default configurations, while CVE-2021-45105 could be leveraged by a remote attacker to cause a denial-of-service (DoS) condition.
Since the vulnerabilities became public knowledge this month, unpatched servers have come under siege from ransomware groups to nation-state hackers, who have used the attack vector as a conduit to gain access to networks to deploy Cobalt Strike beacons, cryptominers, and botnet malware.
The U.S. Federal Bureau of Investigation's (FBI) assessment of the attacks has also raised the possibility that threat actors are incorporating the flaws into "existing cyber criminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques." In light of the severity of the vulnerabilities and likely increased exploitation, organizations are being urged to identify, mitigate, and update affected assets as soon as possible.
To that end, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a scanner utility to identify systems vulnerable to the Log4Shell vulnerability, mirroring a similar tool released by the CERT Coordination Center (CERT/CC).
However, Israeli cybersecurity firm Rezilion, in an assessment published this week, found that commercial scanning tools were ill-equipped to detect all formats of the Log4j library in an environment due to the fact that the instances are often deeply nested in other code, revealing the "blindspots" in such utilities and the limitations of static scanning.
"The biggest challenge lies in detecting Log4Shell within packaged software in production environments: Java files (such as Log4j) can be nested a few layers deep into other files — which means that a shallow search for the file won't find it," Yotam Perkal, vulnerability research lead at Rezilion, said. "Furthermore, they may be packaged in many different formats which creates a real challenge in digging them inside other Java packages."
The public disclosure of Log4Shell has also led a number of technology suppliers to deploy patches for software that contain the flaw. The latest companies to issue updates are NVIDIA and HPE, joining a long list of vendors that have published security advisories detailing the products that are affected by the vulnerability.
The latest step taken by the governments arrives as the Apache Software Foundation (ASF) on Monday released updates for Apache HTTP Server to address two flaws — CVE-2021-44790 (CVSS score: 9.8) and CVE-2021-44224 (CVSS score: 8.2) — the former of which could be weaponized by a remote attacker to execute arbitrary code and take control of an affected system.