[sf-lug] Log4j CVE-2021-4422 - yes, the real deal (e.g. NVD: Base Score: 10.0 CRITICAL)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Tue Dec 14 23:51:07 PST 2021

> From: aaronco36 <aaronco36 at SDF.ORG>
> Date: Wed, 15 Dec 2021 01:26:01 +0000 (UTC)

> And on a (hopefully) completely-unrelated subject, are the recent  
> announcements of this CVE-2021-44228 security flaw [2][3] in  
> Apache's Log4j (a.k.a. "Log4Shell"[4][5]) yet more dubious alerts

It's the real deal.  See e.g.:
They don't give 10 out of 10 vulnerability rating for trivial
securit risks.

Lots of IT folks have been scrambling to deal with that one.
It's very widely used/deployed, it's a pretty big gaping hole,
and pretty easy to exploit.  That doesn't mean it's necessarily
exposed and vulnerable "everywhere" ... but there is a lot of
risk and exposure out there.  E.g. run arbitrary commands, in many
cases, relatively easily from the network ... that's a big deal.

And, yeah, it'll be interesting to see how it plays out over the
coming months.  If I'm not mistaken, from what I've gathered from
at least reasonably reliable sources ... it's only been publicly
known, to any significant extent, since sometime this past
Thursday US/Pacific time.  And it had not yet been patched
or formal security announcements out quite yet - or barely
by about then.  Though at least some mitigations were known
and that information went out around the same time.  Patches
following later - so that's a "zero day" - publicly disclosed
vulnerability before there's a patch.  And at least from what
I've heard, it was being actively exploited (though perhaps not
on large scale ... yet), as early as 2021-12-01.  And, for those
asleep at the switch, that have vulnerability and exposure, expect
that attacks leveraging the vulnerability will grow in numbers/scope,
and sophistication.  Many also fail to well and properly check.  I've
already seen multiple cases of folks that ought now better, proudly
declaring "we're all good now here" ... when that was not - at least
yet - the case.  E.g. I've found a non-trivial percentage of
"declared to be good" ... that weren't ... yet.

> [2]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
> [3]https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> [4]https://techcrunch.com/2021/12/13/the-race-is-on-to-patch-log4shell-as-attacks-begin-to-rise/
> [5]https://www.zdnet.com/article/log4j-update-experts-say-log4shell-exploits-will-persist-for-months-if-not-years/

More information about the sf-lug mailing list