A new actively exploited vulnerability has been discovered that can be used against a number of services, including Apple's iCloud, Valve's Steam, Microsoft's Minecraft, and more.
The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.
According to users on the programming subreddit, many companies are scrambling to patch the vulnerability. AppleInsider has confirmed through sources not authorized to speak on the matter that efforts are being made across the industry to either assess the impact, or actively apply patches.
"Get into work tomorrow?" wrote one user in response to a post suggesting engineering teams would need to patch the vulnerability Friday. "My coworkers are patching it right the hell now, with me on standby and checking up on their patched work."
According to CERT New Zealand, it appears that the vulnerability is already being actively exploited in the wild. Cybersecurity firm LunaSec noted that the zero-day was tweeted on Dec. 9 along with a proof-of-concept exploit on GitHub.
LunaSec noted that Java versions created 6u211, 7u201, 8u191, and 11.0.1 are less affected by the vulnerability. However, clever bad actors could likely work around the narrower attack vector.
The vulnerability has been found to affect Apple's iCloud platform, according to security researchers. At least one provided evidence that they were able to exploit the flaw.
A story in three parts #log4j pic.twitter.com/XMl02BcaJY
— Cas van Cooten (@chvancooten) December 10, 2021
The security researcher who did said that they alerted the vulnerability to Apple's product security team.
It isn't clear how this vulnerability could affect end users. However, Ars Technica reports that Minecraft gaming websites are already warning players that the flaw could allow attackers to gain remote access to their computers through the servers used to log them in.
Who's at risk, and how to protect yourself
Although the vulnerability appears to be wreaking havoc on Friday, the effects are mostly being felt in the enterprise sector. In other words, it's not up to end users to defend themselves against the vulnerability.
Engineers working in the programming subreddit suggested that major technology companies like Amazon have been working to fix the problem since late Thursday night.
18 Comments
Ubiquiti has already updated their UniFi network controller this afternoon. PDQ!
Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out.
I'm interested to know if this means iCloud is built on Java? Not much is out there (if at all) describing how Apple's back-end infrastructure is coded.