17.12.2021 - A new way of exploiting the Log4j security vulnerability allows attackers to execute arbitrary code remotely (remote code execution, or RCE). The security vulnerability is already being actively exploited by cybercriminals. The NCSC urgently recommends applying the security patches as soon as possible.
Update of 17 December 2021
Following the announcement of another critical security vulnerability (CVE-2021-45046) in the Java library Log4j on 14 December 2021, cybercriminals have discovered a new way of exploiting this vulnerability. The security vulnerability is classified as critical, as arbitrary code can be executed remotely (remote code execution, or RCE). The patch 2.16.0, which has been available since this week, renders the new approach impossible. Therefore, where this has not already been done, the NCSC urgently recommends applying the security patches as quickly as possible and keeping all systems up to date at all times.
The vulnerability is already being exploited for targeted attacks. As yet, the NCSC has not received any reports from those affected.
Recommendations for system administrators
For system administrators, the NCSC regularly supplements its recommendations on how to proceed and the list of indicators of compromise (IOCs) in the GovCERT blog
An update from the Apache Software Foundation can be found on its website.
Recommendations for private individuals
Keep your systems (computers, tablets, smartphones, WLAN routers, printers, etc.) up to date at all times and ensure that all installed system components are regularly updated.
Announcement of 13 December 2021
Last Friday, the NCSC received reports of a critical security vulnerability in the popular Java library Log4j, which is widely used in many commercial and open-source software products.
The security vulnerability (CVE-2021-44228 1) is classified as critical, as it can be remotely exploited by an unauthenticated attacker to execute arbitrary malicious code. The criticality of the security vulnerability is rated 10 (out of 10) in the Common Vulnerability Scoring System (CVSS), which indicates the severity of the vulnerability.
Quickly apply security patches
Since many third-party vendors use Log4j in their products, they have been working hard to release patches for them. In the past 48 hours, many manufacturers have released security patches for their products. We urge organisations and operators of national critical infrastructures, as a matter of urgency, to check their software landscape for the use of Log4j and to apply the corresponding patches as quickly as possible. If patches cannot be applied, we recommend taking all possible remedial action to avoid further damage.
Private individuals also affected
But companies are not the only ones at risk. The Log4j library is also found in many network and system components used in the private sphere. It is therefore important for private individuals to keep their systems (computers, tablets, smartphones, WLAN routers, printers, etc.) up to date at all times or to ensure that they are regularly updated. In this way, the security patches that are provided by manufacturers on an ongoing basis are applied as quickly as possible.
Warnings for potentially affected organisations
The NCSC is currently in constant contact with national and international partners on this issue. On Saturday, we started to inform potentially affected organisations in Switzerland about vulnerable Log4j instances that are accessible via the internet. Such notifications were also sent to several national critical infrastructures.
Although the vulnerability could be used for targeted attacks on national critical infrastructures, the NCSC has not yet received any reports to this effect. The exploitation attempts we have observed so far have been used to spread mass malware such as Mirai, Kinsing and Tsunami (also known as Muhstik). These botnets are used primarily for DDoS attacks (Mirai, Tsunami) or for mining cryptocurrencies (Kinsing).
Recommendations and useful information
For system administrators, the NCSC has provided recommendations on how to proceed, as well as the list of indicators of compromise (IOCs) in the GovCERT blog:
Last modification 17.12.2021
