(Observer Network News) According to the Associated Press report on December 11, China's Alibaba Cloud security team discovered a vulnerability in Log4Shell in the open source log component Log4j under the web server software Apache. The existence of this vulnerability allows network attackers to access the network server without a password.
Network security experts believe that this vulnerability is potentially very harmful and may even be "the largest vulnerability in computer history." Cloud services including Apple, Samsung and Steam may be affected. The Apache Software Foundation has rated this vulnerability as highest severity.
The latest warning issued by the Alibaba Cloud team on December 10
The incident began on the 24th of last month. A member of the Alibaba Cloud team in China reported to Apache disclosed the vulnerability. Subsequently, the official computer emergency teams of Austria and New Zealand took the lead in warning of this vulnerability.
New Zealand said the vulnerability was being "actively exploited" and proof-of-concept code had been released.
The vulnerability exposed this time exists in Log4j of the Java logging framework, which is widely used in various applications and network services. It is an in-program recording tool that saves the process of execution activities to facilitate the occurrence of Check if there is a problem. Almost every network security system uses some kind of logging framework for recording, which also makes Log4j widely influential.
Joe Sullivan, chief security officer at cybersecurity management company Cloudflare, said the flaw allows malicious attackers to "remotely execute code" to gain access to other systems, given that the Log4j software is widely used Using, this may be the "biggest vulnerability" yet.
On the 10th of this month, the alert expanded further. On the same day, Microsoft's game "Minecraft" issued an announcement stating that the Java version of the game was vulnerable to attacks and recommended that users take immediate measures to resolve security issues. Players can execute programs on other players' computers by pasting messages into the game's chat box.
On the same day, Sullivan said the company had seen a surge in malicious users using the vulnerability "in the past 6 to 10 hours."
Researchers at data security platform LunaSec found evidence that Steam, as well as Apple's cloud services, were affected, while Palo Alto Network noted in a blog post that Twitter and Amazon have also come under attack.
Experts sternly warned of the potential harm of this vulnerability.
Adam Meyers, senior vice president of the network security company Crowdstrike, said that on the morning of the 10th US time, hackers had "completely weaponized" the vulnerability and developed tools to exploit the vulnerability and distributed them externally. He described that "the Internet is on fire right now," and criminals and hackers are scrambling to exploit this vulnerability, while network security personnel from major institutions are racing against time to patch it.
Amit Yoran, CEO of Tenable, another cybersecurity company, called Log4Shell "the largest and most critical single vulnerability in the past decade" and may even be "the most critical vulnerability in modern computer history." The biggest loophole in the world."
The Associated Press commented that this vulnerability may be the most serious computer vulnerability discovered in recent years. Log4j is "ubiquitous" in cloud servers and enterprise software used across industry and government. Unless it is fixed, criminals, spies and even novice programmers can easily use this vulnerability to enter internal networks and steal information, plant malware and delete critical information.
The Apache Software Foundation has ranked this vulnerability as the highest severity level out of 10.
Foreign social media users explained the importance of Log4j in the form of emoticons
Currently, major companies have begun to fix this vulnerability. According to McAfee, the world's largest network security company, the most important and complete mitigation method is to update log4j to the stable version 2.15.0.
In the future, McAfee also plans to use additional services such as (DNS) to test changes to this vulnerability. We may update this document accordingly based on the results. Meanwhile, McAfee Enterprise has released a network signature, KB95088, for customers leveraging NSP (Network Security Platform), which detects attackers' attempts to exploit the vulnerability.
On December 10, the Alibaba Cloud security team issued an announcement stating that a vulnerability bypass was found in the Apache Log4j 2.15.0-rc1 version. Please update to the official version of Apache Log4j 2.15.0 in a timely manner.