"Log4j is a ubiquitous library used by millions of Java applications for logging error messages. "The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year," said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. In the case of the latter, attackers have been able to gain RCE on Minecraft Servers by simply pasting a specially crafted message into the chat box.
#CRITICAL OPS MOD 0.9 11 F172 SOFTWARE#
Log4j is used as a logging package in a variety of different popular software by a number of manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft.
The project maintainers credited Chen Zhaojun of Alibaba Cloud Security Team with discovering the issue. Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally.