13.12.2021 - At the end of last week, a zero-day vulnerability in the popular Java library Log4j was disclosed. The security vulnerability is classified as critical, as the library is used in a great many Java applications. Moreover, the security vulnerability allows an attacker to execute arbitrary code remotely (remote code execution, or RCE). It is already being actively exploited by cybercriminals to infect vulnerable systems with malware. The NCSC recommends applying the security patches as quickly as possible.
Last Friday, the NCSC received reports of a critical security vulnerability in the popular Java library Log4j, which is widely used in many commercial and open-source software products.
The security vulnerability (CVE-2021-44228 1) is classified as critical, as it can be remotely exploited by an unauthenticated attacker to execute arbitrary malicious code. The criticality of the security vulnerability is rated 10 (out of 10) in the Common Vulnerability Scoring System (CVSS), which indicates the severity of the vulnerability.
Quickly apply security patches
Since many third-party vendors use Log4j in their products, they have been working hard to release patches for them. In the past 48 hours, many manufacturers have released security patches for their products. We urge organisations and national critical infrastructures, as a matter of urgency, to check their software landscape for the use of Log4j and to apply the corresponding patches as quickly as possible. If patches cannot be applied, we recommend taking all possible remedial action to avoid further damage.
Private individuals also affected
But companies are not the only ones at risk. The Log4j library is also found in many network and system components used in the private sphere. It is therefore important for private individuals to keep their systems (computers, tablets, smartphones, WLAN routers, printers, etc.) up to date at all times or to ensure that they are regularly updated. In this way, the security patches that are provided by manufacturers on an ongoing basis are applied as quickly as possible.
Warnings for potentially affected organisations
The NCSC is currently in constant contact with national and international partners on this issue. On Saturday, we started to inform potentially affected organisations in Switzerland about vulnerable Log4j instances that are accessible via the internet. Such notifications were also sent to several national critical infrastructures.
Although the vulnerability could be used for targeted attacks on national critical infrastructures, the NCSC has not yet received any reports to this effect. The exploitation attempts we have observed so far have been used to spread mass malware such as Mirai, Kinsing and Tsunami (also known as Muhstik). These botnets are used primarily for DDoS attacks (Mirai, Tsunami) or for mining cryptocurrencies (Kinsing).
Recommendations and useful information
For system administrators, the NCSC has provided recommendations on how to proceed, as well as the list of indicators of compromise (IOCs) in the GovCERT blog:
Last modification 13.12.2021