PL Risk Blog

JavaScript Vulnerability causes Massive Panic

Written by Drew Smith | Dec 21, 2021 3:45:00 PM

When JavaScript announced a recent update, they had inadvertently created a large vulnerability in their newly released code. This vulnerability, which is easy for bad actors to exploit, is causing many to panic and scramble to update vulnerable programing

In a release dated December 10th, Java announced that one of their scripts published December 1st had a previously unknown vulnerability. The program labeled log4J, is a Java library that is designed to accept any error messages related to the Java script. The library was developed by the open-source Apache Software Foundation and is a key Java-logging framework. Since last week, CERT New Zealand that CVE-2021-44228, a remote code execution flaw in Log4j, was already being exploited in the wild, warnings have been issued by several national cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC). Internet infrastructure provider Cloudflare said Log4j exploits started on December 1. (1)

Like many cyber security issues, something like this can be seen as a significant issue. But it’s what this library has access to that causes many to be alarmed. While consumers might not directly be affected, many computer applications and websites use it to configure their websites and applications. By exploiting, hackers can remote access any device running the old version of the program. Among the many companies that are affected including The Cloud, the security firm Cloudflare and various gaming services including Minecraft.

The sheer magnitude of the attack’s damage is not lost on any experts as more vulnerabilities are discovered and exploited. According to Cloudfare, a prominent website security firm, “The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.

Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can "allow for exfiltration of sensitive data in certain circumstances."(2)

Multiple websites run this script and if its not patched out, hackers have a back door on any device that runs the script. This exploitation is reminiscent of the Emotet virus, which attacks endpoints and forced companies to spend resources replacing infected computers.

As of December 9th, more than 100 hacking attempts were occurring per minute, according to data this week from cybersecurity firm Check Point. "It will take years to address this while attackers will be looking... on a daily basis [to exploit it]," said David Kennedy, CEO of cybersecurity firm TrustedSec. This is a ticking time bomb for companies." (3) Java has quickly developed a patch to counter this vulnerability, but it could take months even years to patch it out, this lag will allow hackers to access their systems with ease.

The Java vulnerability shows that systems can be compromised with simple mistakes in code. It also shows that networks need to keep their systems up to date. Many of these breaches have occurred in legacy systems, these are systems that are still running old Windows or Apple Operating systems that are no longer supported by their parent companies. With this hack, its more important than ever to know what to do when a breach occurs.