Experts speak of the worst vulnerability that has emerged on the web in recent years. Giants such as Amazon, Apple, Twitter, who are running for cover to protect themselves, are also threatened. The 'bug' - which is assigned the maximum danger score (10) - has been called Log4shell and affects the Apache software foundation's open source log4j 2 module, the heart of the majority of applications hosted by servers around the world. The flaw allows remote code execution without authentication. This, says the National Cybersecurity Agency, "involves the presence of a vast and diversified attack surface on the entire internet network and, considering its simplicity of exploitation even by unsophisticated actors, makes the vulnerability particularly serious. ".
The recommendation of the body led by Roberto Baldoni - which immediately took action to raise its defenses - is to minimize the exposure of vulnerability "by applying the necessary measures to its servers in the shortest possible time". Csirt Italia, the response team in case of incidents set up at the Agency, is publishing on its website the security updates to which the IT managers of public and private services are invited to refer, also including the procedures to solve the vulnerability .
The first signs of Log4shell exploitation seem to have appeared in Minecraft, a very popular online game owned by Microsoft. Log4j 2 is a Java-based logging library widely used in business systems development; it is included in various software and often directly integrated into important applications. For this reason, the scale of the impact potentially extends to thousands of products and devices. The vulnerability resides in the messaging module and allows the execution of arbitrary code remotely on the server that uses the library leading to complete compromise of the same without the need for authentication. The attacker could gain control of the affected application and complete access to the system.
Since a Java library is involved, which is by nature multiplatform, the impact affects both Windows and Linux and backend systems and microservices are also potentially vulnerable. And the bad guys are already in action to exploit the 'open door'. In fact, according to Csirt Italia, scans in search of vulnerable servers have been detected and the "massive exploitation of the vulnerability on the network" is foreseeable.
Apache software foundation explains that the vulnerability was addressed in the Log4j 2.15.0 update.
The suggestion of the Csirt is to install it and, if this is not possible, reduce the attack surface with a series of measures that are indicated.
"Since many Java-based applications can take advantage of Log4j 2. - the agency team warns - organizations should consider contacting application vendors or making sure their Java applications run the latest available version of the product."
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/H6SX4JB4HJIOMBO3FUP6IGGLUI.jpg)
