Black Arrow Cyber Advisory – Java Log4Shell Vulnerability – The Maximum Severity Christmas Humbug

Executive Summary

Log4Shell, a critical zero-day actively exploited in the wild, has been found after a series of Minecraft servers fell victim. The bug impacts Java, an almost ubiquitous software that’s found in billions of devices across the globe, from the enterprise to the home. In an extremely rare but warranted move, Log4Shell has been given a 10 out of 10 on the Common Vulnerability Scoring System (CVSS) scale, owing to its ability to be remotely executed and the potential for pandemic level damage. 

What’s the risk to my business?

Java report their use on billions of devices, from computers, printers, routers and mobile phones to cash machines, ticket machines and credit card readers – the list is endless. The likelihood of a device running Java in your environment somewhere is high.

What can I do?

Discuss with your Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. Equally, keeping devices at home or elsewhere up to date is an important step to mitigation, both for your professional and private life.

Technical Summary

The bug, tracked as CVE-2021-44228, was first discovered when a remote-code attack compromised a series of Minecraft servers, one of the most popular Java-based games of all time. The source of the bug was Log4J, a logging utility used by millions of applets across billions of devices. Using the vulnerability, threat actors can craft a request to force the applet to interpret a log as a URL, which is then fetched and executed with full privileges. The exploit can be triggered inside text using “${}”, allowing for their injection in commonly logged attributes like user agents.

Need help understanding your gaps, or just want some advice? Get in touch with us.