Scary news has hit the tech scene regarding newly discovered Apache log4j Security Vulnerabilities that threaten the safety and stability of millions of applications that use java. According to reports hackers have already started taking advantage of the Apache Zero Day exploit, which was found in the CVE-2021-44228 LogJam library. The security issue has been given a CVSS security level of 10 out of 10, which means it’s incredibly dangerous.
What Does the Apache log4j Security Vulnerabilities Allow Hackers to Do?
As aforementioned this new Apache Zero Day exploit focuses on the CVE-2021-44228 Log4Shell library, which allows Remote Code Execution. Investigations show that hackers can add one extra string of code into the Apache Library, which then allows them to upload any kind of code they want using the ‘Message Lookup Substitution’ function. When this happens on a server hackers can take over an entire system, and have an entire company at their mercy.
Alibaba Cloud Security team employee Chen Zhaojun is credited with discovering the Apache Log4j Security vulnerability.
What Makes the Apache log4j Security Vulnerabilities More Dangerous Then Previous Zero Day Exploits?
The scariest part about the Apache CVE-2021-44228 LogJam exploit is the simplicity of it, along with the popularity of the library itself. Due to the fact that it only takes one string of code to take advantage of the Log4j security issue, investigators claim that even a hacker with little experience can successfully launch an attack to take over a server.
In addition, the Apache Log4j Library is one of the most popular error logging systems used by developers. Many major software companies and websites such as, Twitter, Amazon, Apple iCloud, Cloudflare, Cisco, Tesla, and many more use Log4j library, which means they are all susceptible to the CVE-2021-44228 Log4Shell exploit.
How to Prevent the Apache log4j Security Vulnerabilities From Affecting your Applications
The way to prevent the Apache Log4j security vulnerability exploit from affecting your systems is very simple. According to the Apache Foundation updating your library version to 2.15.0, will mitigate attacks. The new version has altered code that prevents hackers from using the ‘Message Lookup Substitution’ function that is required for them to be able to upload arbitrary code. The only issue with that is in some cases updating the Log4j library is currently not possible depending on the type of software or service using it.
Authors: JordanThrilla Staff