Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Severe flaw in Java library impacts iCloud, Amazon, Steam, and more

A zero-day flaw has been discovered in a widely used Java library

A new actively exploited vulnerability has been discovered that can be used against a number of services, including Apple's iCloud, Valve's Steam, Microsoft's Minecraft, and more.

The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.

According to users on the programming subreddit, many companies are scrambling to patch the vulnerability. AppleInsider has confirmed through sources not authorized to speak on the matter that efforts are being made across the industry to either assess the impact, or actively apply patches.

"Get into work tomorrow?" wrote one user in response to a post suggesting engineering teams would need to patch the vulnerability Friday. "My coworkers are patching it right the hell now, with me on standby and checking up on their patched work."

According to CERT New Zealand, it appears that the vulnerability is already being actively exploited in the wild. Cybersecurity firm LunaSec noted that the zero-day was tweeted on Dec. 9 along with a proof-of-concept exploit on GitHub.

LunaSec noted that Java versions created 6u211, 7u201, 8u191, and 11.0.1 are less affected by the vulnerability. However, clever bad actors could likely work around the narrower attack vector.

The vulnerability has been found to affect Apple's iCloud platform, according to security researchers. At least one provided evidence that they were able to exploit the flaw.

The security researcher who did said that they alerted the vulnerability to Apple's product security team.

It isn't clear how this vulnerability could affect end users. However, Ars Technica reports that Minecraft gaming websites are already warning players that the flaw could allow attackers to gain remote access to their computers through the servers used to log them in.

Who's at risk, and how to protect yourself

Although the vulnerability appears to be wreaking havoc on Friday, the effects are mostly being felt in the enterprise sector. In other words, it's not up to end users to defend themselves against the vulnerability.

Engineers working in the programming subreddit suggested that major technology companies like Amazon have been working to fix the problem since late Thursday night.



18 Comments

DoctorQ 7 Years · 55 comments

Ubiquiti has already updated their UniFi network controller this afternoon. PDQ!

Anilu_777 8 Years · 579 comments

Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out. 

DAalseth 6 Years · 3067 comments

Anilu_777 said:
Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out. 

Sounds like this is a server side issue. 

sflocal 16 Years · 6138 comments

I'm interested to know if this means iCloud is built on Java?  Not much is out there (if at all) describing how Apple's back-end infrastructure is coded.

coolfactor 20 Years · 2341 comments

sflocal said:
I'm interested to know if this means iCloud is built on Java?  Not much is out there (if at all) describing how Apple's back-end infrastructure is coded.

Part of iCloud may utilize Java on the server-side, but the platform as a whole won't be built using Java. Clients (your devices, your browsers) definitely does not need Java installed to access any part of iCloud.