Log4Shell is a 0-day vulnerability in the Log4j Java library that allows attackers to download and run scripts on targeted servers, leaving them open to complete remote control. After a user posted a proof-of-concept (PoC) on Twitter, Bitdefender’s honeypots started to register attacks using the PoC, underlining just how severe this vulnerability is.
Log4j is not just another Java library. It’s embedded in servers and services from all over the world, used by companies such as Apple, Amazon, Cloudflare, Steam, various Apache server types, ElasticSearch, and many others.
As 0-day vulnerabilities go, Log4Shell (CVE-2021-44228) has a 10/10 rating, which means that attackers can remotely exploit it without any input from the victim, and it doesn’t require high-level technical expertise to pull it off.
The Apache Software Foundation issued an emergency patch, and now Log4j 2.15.0 is available to everyone.
“JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default,” explain the developers in the release notes.
It’s difficult to estimate the massive impact Log4Shell will have because historically patches (even for high-severity threats) take time for everyone to apply, if ever. We commonly see attacks successfully executed using fixed vulnerabilities that are two or three years old.
Immediately after the Log4Shell PoC was released, adversaries started scanning the Internet, looking for vulnerable targets. Bitdefender honeypots are seeing attackers trying to compromise different web services. The number of total scans using Log4Shell has increased three-fold in a single day meaning we most likely are just at the beginning. While most scans don’t have a particular target, around 20 percent of the attempts seem to search for vulnerable Apache Solr services.
When Bitdefender’s global honeypot network experiences a marked spike in activity, it usually means attackers are actively looking for ways to weaponize a newly discovered vulnerability as soon as possible. Most of the scans we are seeing now are coming from Russia-based IP addresses.
Bitdefender recommends all companies using the Log4j library upgrade as soon as possible to the latest version. The traffic generated in the honeypots indicates that attackers know about the vulnerability and how widespread the library is. We believe we’re witnessing only the start of a very long campaign.