The recently discovered vulnerability known as Log4Shell is currently causing chaos on the internet, as cyber defenders try to fix the flaw while cybercriminals try to exploit its weaknesses and steal information.
The Log4Shell vulnerability (CVE-2021-44228) was found in the Apache Log4j library, which was assigned the maximum severity level — CVSS 10. This library is used by millions of Java applications to log error messages. To make matters worse, attackers are already actively exploiting this vulnerability in attacks.
The security breach threatens millions of devices and major services like Minecraft, Steam, and Apple iCloud. Although the vulnerability already has a patch to fix the problem, the bug is expected to take a long time to fix, given a large number of systems and devices that have been affected. Therefore, the Apache Foundation recommends that all developers update the library to version 2.15.0, and if this is not possible, use one of the methods described on the Apache Log4j Security Vulnerabilities page.
The vulnerability appears to have been exploited primarily to deliver crypto mining malware, and security researchers expect to see an evolution in the type of attacks. The ability to easily execute unauthenticated, remote code opens up a wide range of possibilities for attackers.
So far, no major cyber incidents have been publicly documented as a result of the Log4Shell vulnerability, but researchers are seeing an alarming rise in hacker groups trying to exploit the flaw for espionage.