Apache Log4j software flaw being 'actively exploited', CERT NZ warns

13/12/2021
RNZ

An illustration of someone using a laptop — "We're just asking people to absolutely prioritise it." Photo credit: Getty Images

The national cybersecurity watchdog is warning of a threat to a widely used software component.

A vulnerability with a Java logging library, Apache Log4j between versions 2.0 and 2.14.1, was detected and publicly reported on last week.

The Apache Logging security team has rated the security impact rating of the vulnerability, also known as Log4Shell, as critical.

CERT NZ released an advisory that attackers could gain full control of an affected server if a user-controlled string is logged.

"Reports from online users show that this is being actively exploited in the wild," the advisory stated.

More from Newshub

Related: Chris Bishop and David Parker discuss vaccine certificates on The AM Show

'Delete it': RealMe scam hits inboxes as Kiwis sign up for My Vaccine Pass

"This could be perceived as a way for big online services to write rules that suit themselves."

Concerns raised new online safety code could end up failing vulnerable Kiwis

The issue was discovered by Chen Zhaojun of Alibaba's cloud security team.

Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable, according to Lunasec.

Incident response manager Nadia Yousef told Morning Report the implications were wide-ranging because a lot of organisations used this piece of software.

"It does mean lots of agencies potentially could be affected by hackers if they don't act," Yousef said.

"That's why you'll have seen such a significant response and uptake in the media about it over the weekend.

"We know that organisations are taking this very seriously... vendors and organisations have worked through the weekend, lots of vendors have put out updates and patches for people to put in place to try and get in front of this incident."

Users and organisations are encouraged to get into contact with their software or IT providers to ask if this affected them and what the plan was, Yousef said.

"Also it's Monday morning, lots of people will be getting into the office, security teams will be seeing messages that have come through over the weekend from the vendors saying you need to update this now and we're just asking people to absolutely prioritise it.

"Get it updated, get it patched as soon as you possibly can."

Cybersecurity incidents have been increasing over the past few years, particularly since the pandemic has forced more people to work remotely, she said.

"Have a layered approach to security, that means having other things that will stop attackers from getting in.

"So if you set up multi-factor authentication on your banking account, it will mean that if there's hackers trying to transfer large amounts of money out of your account, they won't be able to do it without the authority code from your phone."

RNZ