In response to the widespread exploitation of various vulnerabilities in Apache’s Log4j software library by malevolent adversaries, cybersecurity authorities from Australia, Canada, New Zealand, the United States, and the United Kingdom recently issued a joint alert.
“These vulnerabilities, especially Log4Shell, are severe,” the intelligence agencies explained in the new guidance. “Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period.”
By sending an appropriately crafted request to a susceptible machine and causing it to execute arbitrary code, an attacker can abuse Log4Shell (CVE-2021-44228). On the other hand, CVE-2021-45046 allows for remote code execution in non-default setups, while CVE-2021-45105 might be used to create a denial-of-service (DoS) issue by a remote attacker.
Unpatched servers have been under attack from ransomware organizations to nation-state hackers, who have employed the attack vector to gain access to networks to spread Cobalt Strike beacons, cryptominers, and botnet malware since the vulnerabilities were made public earlier this month.
According to the FBI’s assessment, cyberattacks have also raised the prospect that threat actors are combining the vulnerabilities into current cybercriminal schemes aiming to adopt increasingly complex obfuscation tactics. Organizations are being asked to identify, remediate, and upgrade vulnerable assets as quickly as possible, given the severity of vulnerabilities and the likelihood of escalating exploitation.
To that purpose, the US Cybersecurity and Infrastructure Security Agency (CISA) has developed a scanner utility to detect systems vulnerable to the Log4Shell vulnerability, similar to the CERT Coordination Center’s (CERT/CC) tool.
The Apache Software Foundation (ASF) has published fixes for Apache HTTP Server 2.4.51 to address two vulnerabilities: CVE-2021-44790 (CVSS score: 9.8) and CVE-2021-44224 (CVSS score: 8.2). A remote attacker may use the former to execute arbitrary code and take control of the system affected by it.