Severe flaw in Java library impacts iCloud, Amazon, Steam, and more

A zero-day flaw has been discovered in a widely used Java library

The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.

According to users on the programming subreddit, many companies are scrambling to patch the vulnerability. AppleInsider has confirmed through sources not authorized to speak on the matter that efforts are being made across the industry to either assess the impact, or actively apply patches.

"Get into work tomorrow?" wrote one user in response to a post suggesting engineering teams would need to patch the vulnerability Friday. "My coworkers are patching it right the hell now, with me on standby and checking up on their patched work."

According to CERT New Zealand, it appears that the vulnerability is already being actively exploited in the wild. Cybersecurity firm LunaSec noted that the zero-day was tweeted on Dec. 9 along with a proof-of-concept exploit on GitHub.

LunaSec noted that Java versions created 6u211, 7u201, 8u191, and 11.0.1 are less affected by the vulnerability. However, clever bad actors could likely work around the narrower attack vector.

The vulnerability has been found to affect Apple's iCloud platform, according to security researchers. At least one provided evidence that they were able to exploit the flaw.

The security researcher who did said that they alerted the vulnerability to Apple's product security team.

It isn't clear how this vulnerability could affect end users. However, Ars Technica reports that Minecraft gaming websites are already warning players that the flaw could allow attackers to gain remote access to their computers through the servers used to log them in.

Who's at risk, and how to protect yourself

Although the vulnerability appears to be wreaking havoc on Friday, the effects are mostly being felt in the enterprise sector. In other words, it's not up to end users to defend themselves against the vulnerability.

Engineers working in the programming subreddit suggested that major technology companies like Amazon have been working to fix the problem since late Thursday night.