Thanks to Detectify Crowdsource hackers, Detectify quickly developed a security test to detect Critical vulnerability CVE-2021-44228 Apache log4j RCE. This vulnerability has set the internet alight over the past few days. Right now, exploit developers and security researchers are still understanding the potential capabilities provided by the vulnerability. Detectify received a working POC for this critical 0-day vulnerability from the Crowdsource community on Friday.

A newly published critical vulnerability in Apache’s widely popular Log4j Java library, CVE-2021-44228 (CVSS score 10) was published over the weekend, causing a lot of concern.

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified, (Dubbed “Log4Shell” by researchers), affecting massive amounts of servers all over the world. As this vulnerability gains high traction worldwide, it’s important to note, that not only internet facing java applications are vulnerable, as user input can traverse to another non-internet facing machines and exploit these as well.

Updated 12/20/21 On December 9, 2021, Apache published a zero-day vulnerability (CVE-2021-44228) for Apache Log4j being referred to as “Log4Shell”. This “critical” vulnerability (CVSS score: 10) allows a remote attacker to take control of an affected system. When exploited, this vulnerability allows an attacker to run arbitrary code on the device, giving full control over to the attacker.

On Dec 9th, a critical zero-day vulnerability - CVE-2021-44228 - was announced concerning the Java logging framework - Log4j All current versions of log4j2 up to 2.14.1 are vulnerable. To remediate this vulnerability, please update to version 2.15.0 or later.

A critical vulnerability in the popular log4j library is currently being actively targeted on a broad global scale and possibly exploited based on advisories from multiple CERTs and vendors: CISA, Apache, etc. This Java library is integrated into many IT and DevOps tooling and workflows. On Dec 10, 2021, Apache released version 2.15.0, fixing CVE-2021-44228 (dubbed Log4Shell) an RCE with a maximum CVSSv3 score of 10.

On December 10th, 2021, the National Vulnerability Database (NVD) published the CVE-2021-44228 documenting a vulnerability in the Apache log4j library Java Naming and Directory Interface (JNDI) lookup feature allowing for remote code execution by an attacker who is able to manipulate log messages. A proof of concept was released on December 9th, 2021, and active scanning and exploitation attempts have increased through the time of the publishing of this brief.

A previously unknown zero-day vulnerability in Log4j 2.x has been reported on December 9, 2021. If your organization deploys or uses Java applications or hardware running Log4j 2.x your organization is likely affected.

To understand how Elastic is currently assessing internal risk of this vulnerability in our products please see the advisory here.