On Thursday (December 9th), a 0-day exploit was discovered in the popular Java logging library log4j (version 2) that results in Remote Code Execution (RCE) by logging a specific string. Billions of devices and software components worldwide have been affected by this log4j Remote Code Execution vulnerability.
Due to how simple this exploit can be carried out, we anticipate hearing more about it in the following months.
Given the prevalence of this library, the impact of the exploit (full server control), and the ease with which it can be exploited, the impact of this vulnerability is quite severe.
For short, we're calling it "Log4j."
Because Log4j is embedded in widely used Apache-related frameworks, the vulnerability's spread could be unprecedented.
At the moment, the potential for exploiting the vulnerability is difficult to quantify. RCE attacks, on the other hand, are among the most dangerous that any system can face.
Randori discovered the following when investigating CVE-2021-44228:
- Vulnerable are default installs of commonly used enterprise software.
- The exploit can be reliably exploited without requiring authentication.
- Multiple versions of Log4j 2 are affected by the flaw.
- The vulnerability permits remote code execution as the user executes the library-using application.
IS DUALOG IMPACTED?
Good news! Since Dualog does not use Java in any of our client code, we are not vulnerable and there will be no customer impact. Some of our internal systems do however use Java.
However, the vulnerability cannot be exploited as the logging performed by these systems is isolated from any external users, hackers, or customers.
Nevertheless, we will take action to remove the vulnerability from these systems as well.
We are continuing to monitor this issue and will determine whether additional action is required. This article will be updated if additional information becomes available.
WHAT ACTIONS SHOULD I TAKE?
No action is required on your side or the ship's side.
WHERE CAN I FIND MORE INFORMATION?
You can find additional information on this vulnerability here:
- Apache Software Foundation: Apache Log4j Security Vulnerabilities
- National Vulnerability Database: CVE-2021-44228
If you require more information, please do not hesitate to contact Dualog Support at firstname.lastname@example.org.