The flaw zeroday CVE-2021-44228, baptized with the name of Log4Shell, represents a serious cybersecurity issue that will take months, or even years, to be able to be completely resolved due to its spread and the ease of exploitation of the flaw itself: the opinion on which various computer security researchers converge after Log4Shell came to light on Thursday 9 December.

The US Cybersecurity and Infrastructure Security Agency also expressed itself on the subject, underlining that the vulnerability affects hundreds of millions of devices and that “no single action will solve the problem”, specifying that it is a mistake to think that things can be fixed “in a week or two “. CISA warns that the vulnerability will likely be used as springboard for various and sophisticated types of attack and compromise, and that the time to run for cover effectively is really limited.

Recall that Log4Shell is a vulnerability that concerns the open-source Java tool Log4j, widely used for logging operations on an endless number of applications and services, and which allows remote code execution without authentication. Its diffusion therefore extremely vast, which associated with the ease of exploitation of the flaw makes Log4Shell a particularly serious threat, even higher than HeathBleed, EternalBlue or ShellShock.

If, at least for now, the vulnerability appears to have been exploited primarily to deliver cryptomining malware, security researchers expect to see an evolution in the type of attacks. The ability to easily execute unauthenticated remote code opens up a wide range of possibilities for attackers. Steve Povolny, Head of Advanced Threat Research for McAfee Enterprise and FireEye, noted that in the face of the growing number of activities following the discovery of the flaw, it is reasonable to assume that many realities may already have been compromised. Povolny also warns of the possibility of observing an evolution of the attacks.

Sean Gallagher, researcher for Sophos, specifically points out that the vulnerability can be exploited by attackers trying to install remote access and persistence tools and that it is already used to try to expose the keys used by Amazon Web Service accounts.

hearing folks appears # log4shell is “as bad as heartbleed” – imo it’s much, much worse. aside from having RCE as the impact, the number of interdependencies around log4j (and particularly the age of them) is orders of magnitude higher – cje (@caseyjohnellis) December 11, 2021

Second Casey John Ellis, security expert and founder of Bugcrowd, the problem is much more serious than HeartBleed, as the diffusion of log4j and the various interdependencies are “orders of magnitude higher.” Florian Roth by Nextron Systems speaks of “0day cluster bomb”, which is that Log4Shell is a vulnerability that can potentially cause hundreds and thousands of other zeroday flaws in all kinds of software.

What people seem to miss:

The # Log4Shell vulnerability isn’t just a RCE 0day.

It’s a vulnerability that causes hundreds and thousands of 0days in all kinds of software products.

It’s a 0day cluster bomb. pic.twitter.com/Cij9kK4Cvg – Florian Roth ⚡️ (@ cyb3rops) December 11, 2021

And in particular with regard to the spread of the problem, Jaana Dogan, Principal Engineer for AWS, to provide additional context:

A project with a footprint like Log4j is not possible to avoid as a transient dependency even if you dont directly import it. Log4j is a canonical logging utility for a huge ecosystem. Its current radius is beyond doing due diligence. https://t.co/FqSr68x7JL – Jaana Dogan ヤ ナ ド ガ ン (@rakyll) December 13, 2021

The immediate action to be taken to eliminate the flaw is to update Log4j at least to version 2.15.x which requires Java 8. Those who are unable to update Log4j due to complex interdependencies can resort to some partial and temporary solutions, well summarized in this extensive and in-depth compendium on Log4Shell.