Apple iCloud, Twitter & Minecraft Zero-Day Flaw Discovered

Critical Vulnerability Discovered in Java Logging Library

Several widely used services, notably including Apple iCloud, Twitter, Cloudflare, Minecraft, and Steam, are facing potential compromise due to a newly identified zero-day vulnerability.

This vulnerability, designated “Log4Shell” by researchers at LunaSec and initially credited to Chen Zhaojun from Alibaba, resides within Apache Log4j. Log4j is a prevalent open-source logging utility integrated into a vast array of applications, websites, and online services.

Widespread Impact of Log4Shell

The initial discovery of Log4Shell occurred within Microsoft’s Minecraft. However, LunaSec cautions that a substantial number of services are susceptible to exploitation. This is attributed to Log4j’s pervasive use in nearly all significant Java-based enterprise applications and servers.

The cybersecurity firm’s blog post indicates that users of Apache Struts are also at high risk of being affected by this security flaw.

Affected Organizations

Confirmed vulnerable organizations include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent, and Elastic. It is highly probable that hundreds, if not thousands, of additional organizations are also impacted.

Cloudflare has stated, in correspondence with TechCrunch, that its systems have been updated to prevent attacks and that, as of now, no evidence of exploitation has been detected.

Government and Security Agency Response

Robert Joyce, Director of Cybersecurity at the NSA, has verified that GHIDRA, the agency’s free and open-source reverse engineering tool, is also affected. He emphasized the significant threat posed by the Log4j vulnerability due to its widespread inclusion in software frameworks.

The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, and Greynoise web monitoring service have all issued warnings regarding active scanning for servers vulnerable to Log4Shell attacks.

Greynoise reports that approximately 100 distinct hosts are currently probing the internet for methods to exploit the Log4j vulnerability.

Open Source Supply Chain Risks

Kayla Underkoffler, a Senior Security Technologist at HackerOne, explained to TechCrunch that this zero-day vulnerability underscores the risks associated with open-source software as a crucial component of the global critical supply chain.

“Nearly all modern digital infrastructure relies on open-source software, with the average application utilizing 528 different open-source components,” Underkoffler stated. “Many high-risk vulnerabilities discovered in 2020 existed in code for over two years, and organizations often lack the control needed to quickly address these weaknesses.”

Mitigation and Updates

The Apache Software Foundation has released an emergency security update to address the zero-day vulnerability in Log4j. Mitigation steps have also been provided for those unable to update immediately.

Mojang Studios, the game developer, has also released an emergency security update for Minecraft to resolve the issue.

This article has been updated to include a statement from Cloudflare.