Critical vulnerability in Java library "Log4j
A zero-day vulnerability in the widely used Java library "Log4j" became known at the end of last week. The vulnerability is classified as critical because the library is built into very many Java applications.
Last Friday, NCSC received reports of a critical vulnerability in the popular Java library "Log4j". The library is widely used in many commercial and open source software products.
The vulnerability (CVE-2021-44228 1) is criticalas it can be exploited remotely by an unauthenticated attacker to execute arbitrary malicious code. The criticality of the vulnerability is rated 10 (out of 10) in the Common Vulnerability Scoring System (CVSS), which indicates the severity of the vulnerability.
Apply security patches quickly
Since many third-party vendors use "Log4j" in their products, they are working hard to release patches for their products. In the past 48 hours, many vendors have published security patches for their products. NCSC urges organizations and national critical infrastructures to review their software landscape for use of "Log4j" and apply the appropriate patches as soon as possible. If patching is not possible, it is recommended that all possible remedial actions be taken to prevent further damage.
Private individuals also affected
But not only companies are at risk. The "Log4j" library is also present in many network and system components used in the private sector. It is therefore important for private individuals to keep their systems (computers, tablets, smartphones, WLAN routers, printers, etc.) up to date at all times and to ensure that they are updated regularly. In this way, the security patches that are continuously made available by the manufacturers can be installed as quickly as possible.
Warnings to potentially affected organizations
The NCSC is in constant contact with national and international partners on the issue, he said. On Saturday, the National Cyber Security Center began notifying potentially affected organizations in Switzerland about vulnerable "Log4j" instances accessible via the Internet. Such notifications were also sent to several national critical infrastructures.
Although the vulnerability could be used for targeted attacks on national critical infrastructures, the NCSC has not received any reports of this to date. The exploitation attempts observed so far have been used to spread mass malware such as "Mirai2," "Kinsing3," and "Tsunami3" (also known as Muhstik). These botnets are primarily used for DDoS attacks (Mirai, Tsunami) or for mining cryptocurrencies (Kinsing).
Recommendations and helpful information
For system administrators, NCSC has provided recommendations on how to proceed on GovCERT's blog, as well as the list of indicators of possible compromise (IOCs):
Blog GovCERT: Zero-Day Exploit Targeting Popular Java Library Log4j (available in English)
Source: NCSC
