A new 0-day exploit called Log4Shell has been found in log4j, a popular and open-source Java logging library, which allows Remote Code Execution (RCE) by logging a specific string. The vulnerability impacts popular services like iCloud, Minecraft servers, Steam, and more, however, services with strict security rules could be able to mitigate the impact.
Due to the popularity of the library and the ease at which this vulnerability can be exploited, Log4Shell is considered highly dangerous and could compromise countless devices. To put things into perspective, some folks have called this vulnerability worse than heartbleed.
Log4Shell vulnerability in log4j open-source Java logging library impacts iCloud
As per LunaSec, and as demonstrated on Twitter, simply changing an iPhone’s name is enough to trigger the vulnerability in Apple’s servers.
— Cas van Cooten (@chvancooten) December 10, 2021
Even a specific chat message in Minecraft is enough to trigger the vulnerability on its servers.
LunaSec notes that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector, however, not all systems are simple to upgrade and it might take some time before popular services are fully protected against this exploit.
As this exploit also works on Apple’s iCloud, the potential security risks are that hackers could execute code remotely on the servers, potentially allowing access to user data, installing backdoors, and causing downtime. However, this is all theoretical, and multiple security rules can mitigate the impact. Unless we hear from Apple regarding the impact of this vulnerability, it is difficult to say how iCloud users are affected, if at all.
The likes of Apple, Microsoft, Steam, and others should be quick to respond and remediate this issue. We will likely learn in-depth details regarding what companies did to mitigate the risk over the coming days.
If you are interested in learning more about how this vulnerability works, this explainer video by Lawrence systems is a good place to start:
Update, December 12: As per The Eclectic Light Company, Apple already fixed the issue very quickly:
As you’d both hope and expect, iCloud was fixed quickly. Although researchers were able to demonstrate the vulnerability when connecting to iCloud through the web on 9 and 10 December, by 11th that no longer worked. It also doesn’t appear to have affected macOS or other direct connections.