A new zero-day vulnerability in the popular Java logging framework Log4j has been discovered which has the potential to affect Minecraft, iCloud, Steam and numerous other software products that use Java in their code.
Tracked as CVE-2021-44228, this type of vulnerability is especially dangerous as it can be exploited to run any code and requires very low skills for an attacker to pull off. Since Apache's Log4j is almost ubiquitous in Java applications, immediate action is required by software maintainers who will need to patch it to prevent falling victim to any potential attacks.
To put this vulnerability into context, a similar one was used in the 2017 hack of Equifax which led to the personal data of 149.7m people being exposed online.
This new exploit could end up being even more dangerous though as Log4j has been widely adopted in most of the Java ecosystem.
- Check out our list of the best Minecraft server hosting
According to a new blog post from Sonatype, news of the Log4j exploit broke when a vulnerability Proof of Concept (PoC) was published in a GitHub repository and made public.
The vulnerability affects Apache Log4j between versions 2.0 and 2.141 and at the time of writing, there have already been reports of it being successfully exploited on some Java 11 runtimes. Thankfully though, Apache has published a fix to the issue but now software makers will still need to install it to protect their customers.
This vulnerability affects any application that uses Log4j for logging including popular games such as Minecraft where Sonatype has already seen evidence of it being exploited using its built-in chat functionality. Just like with other remote code execution attacks in the past, there is also strong evidence that hackers and other cybercriminals have begun to mass scan the internet for applications in which this vulnerability has yet to be patched.
Organizations using Log4j in their software should upgrade it to the latest 2.15 version immediately which is available from Maven Central.
CTO of Sonatype, Brian Fox provided further insight on the Log4j vulnerability and the potential impact it could have worldwide in an email to TechRadar Pro, saying:
“This new Log4j vulnerability is likely going to be another “flashbulb memory” event in the timeline of significant vulnerabilities. It is the most widely used logging framework in the Java ecosystem. The scope of affected applications is comparable to the 2015 commons-collection vulnerability (CVE 2015-7501) because attackers can safely assume targets likely have this on the classpath. The impact is comparable to previous Struts vulnerabilities, like the one that impacted Equifax, because the attacks can be done remotely, anonymously without login credentials, and leads to a remote exploit. The combination of scope and potential impact here is unlike any previous component vulnerability I can readily recall.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.