This exploit can affect everything from Apple to Minecraft


From times and times, we see new exploits emerging and proving how problematic they can be in the hands of bad people. The situation is even more critical when we’re talking about a Zero-day exploit. The latest exploit has been discovered in Apache’s Log4j logging library. A proof-of-concept exploit was shared online. It reveals the true potential of remote code execution attacks, and it has affected some of the largest services on the web. The exploit has been identified as “actively being exploited”, carries the “Log4Shell” moniker, and is one of the most dangerous exploits to be made public in recent years. It can affect basically everything from Apple devices to simple apps and games like Minecraft.

For those unaware, Log4j is a popular Java-based logging package. Apache Software Foundation is the developer behind it. It’s a CVE-2021-44228 patch that affects all versions of Log4j between version 2.0-beta9 and version 2.14.1. It has been patched in the most recent version of the library, version 2.15.0. However, many services and applications currently rely on Log4j. That goes from an Apple device to games like Minecraft. Cloud services such as Steam and Apple iCloud are also on the list of vulnerable, and we assume it also goes for everyone using Apache Struts. Even changing an iPhone’s name is capable of triggering the vulnerability on Apple’s servers.

Chen Zhaojun of the Alibaba Cloud Security Team was the first to discover this issue. According to the report, any service that logs user-controlled strings is currently vulnerable to the exploit. The longing of the user-controlled string is a common practice by system administrators. It helps to spot potential platform abuse. Further, they use it to clean user input and ensure that there is nothing harmful to the software.

A simple action like changing iPhone’s name can trigger the Log4Shell exploit

The exploit carries the “Log4Shell” moniker, as it’s an unauthenticated RCE vulnerability that allows for total system takeover. There’s already a proof-of-concept exploit online….

Source…