A critical security vulnerability in the java library Log4j has been identified. This vulnerability is very easy to exploit and the number of systems that are vulnerable is massive. The Cybersecurity and Infrastructure Security Agency (CISA) has created a guidance page that will be frequently updated as new information is discovered. This vulnerability is being widely exploited and every organization should be actively working to prevent exploitation and detect malicious activity.
From the CISA Advisory:
This RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that “do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints.”
An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.