CISA, FBI, and NSA publish a joint advisory and scanner for Log4j vulnerabilities. This is in response to the widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library by nefarious adversaries.
According to the intelligence agencies, “These vulnerabilities, especially Log4Shell, are severe. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE–2021–45046, and CVE-2021-45105 in vulnerable systems. These vulnerabilities are likely to be exploited over an extended period.”
The CVE-2021-44228 – Log4Shell can be exploited by submitting a crafted request to a vulnerable system leading to the execution of arbitrary code on the system. CVE-2021-45046 vulnerability enables attackers to execute it remotely in certain non-default configurations, and the CVE-2021-45105 can be used to carry out a DDoS attack by remote attackers.
After the vulnerabilities have come to light, unpatched servers have come under siege from ransomware groups to nation-state hackers. The bad actors are using the attack vectors as a conduit to gain access to networks to deploy Cobalt Strike beacons, crypto miners, and botnet malware.
According to the U.S. Federal Bureau of Investigation (FBI) attacks are carried out incorporating the flaws into “existing cybercriminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques.” Organizations are being urged to identify, mitigate, and update affected assets as soon as possible with an increase in the number of exploitations.
A scanner utility is also released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to identify systems vulnerable to the Log4Shell vulnerability. This tool is identical to another tool released by the CERT Coordination Center (CERT/CC).
Governments reached this decision after the Apache Software Foundation (ASF) released updates for Apache HTTP Server 2.4.51 to address two flaws — CVE-2021-44790 with CVSS score: 9.8 and CVE-2021-44224 with CVSS score: 8.2. Where CVE-2021-44790 can be weaponized by a remote attacker to execute arbitrary code and take control of an affected system.