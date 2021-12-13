Log4Shell a new zeroday vulnerability discovered last Thursday when it was exploited for remotely compromise Minecraft servers. The vulnerability was traced with the code CVE-2021-44228 and was assigned a severity level of 10 out of 10 as it can be exploited very easily and allows remote unauthenticated code execution.

The vulnerability concerns in particular Log4j, an open source event logging tool based on Java and available from Apache that is used by hundreds of thousands of apps, especially in the cloud and including those commonly used in almost every business reality on the planet.

The compromise of the Minecraft servers was the first warning of a problem of particular gravity, although some activities related to the exploitation of the vulnerability have already occurred since at least 2 December, according to the findings of Cisco Talos. The problem affects Log4j versions 2.0-beta-9 to 2.14.1, and has been fixed as of version 2.15.0, available here. The installation of the new version closes the flaw, but as often happens in these situations it is not taken for granted that it can be applied with due timeliness.

Event logging is a process by which applications keep an updated list of the activities performed and which can thus be analyzed later in the event of errors. Almost all network security systems run some kind of event log, which gives libraries such as Log4j nearly endless circulation.

The exploitation of the vulnerability occurs by managing to have a special sequence of characters recorded on the log, as Cloudflare illustrated in detail in its analysis. And, as mentioned, the vulnerability can be exploited easily: in the case of Minecraft, for example, it was possible to log the sequence of characters simply by sending a message in the chat within the game.

Since the Minecraft servers were compromised, the security company Greynoise has detected an active scan underway on the Internet that attempted to identify vulnerable servers. The researchers stress that they have observed that the vulnerability is exploited for various purposes: bymalware installation of cryptomining, to the strengthening of Linux botnets, passing from the extraction of data and configurations.

The severity of the vulnerability puts it on a par with the problems known as Heartbleed and ShellShock in the past, even if the simplicity of exploitation and diffusion of Log4j make it a potentially much more dangerous threat.