Severe flaw in Java library impacts iCloud, Amazon, Steam, and more

AppleInsiderAppleInsider
Posted:
in General Discussion
A new actively exploited vulnerability has been discovered that can be used against a number of services, including Apple's iCloud, Valve's Steam, Microsoft's Minecraft, and more.

A zero-day flaw has been discovered in a widely used Java library
A zero-day flaw has been discovered in a widely used Java library


The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.

According to users on the programming subreddit, many companies are scrambling to patch the vulnerability. AppleInsider has confirmed through sources not authorized to speak on the matter that efforts are being made across the industry to either assess the impact, or actively apply patches.

"Get into work tomorrow?" wrote one user in response to a post suggesting engineering teams would need to patch the vulnerability Friday. "My coworkers are patching it right the hell now, with me on standby and checking up on their patched work."

According to CERT New Zealand, it appears that the vulnerability is already being actively exploited in the wild. Cybersecurity firm LunaSec noted that the zero-day was tweeted on Dec. 9 along with a proof-of-concept exploit on GitHub.

LunaSec noted that Java versions created 6u211, 7u201, 8u191, and 11.0.1 are less affected by the vulnerability. However, clever bad actors could likely work around the narrower attack vector.

The vulnerability has been found to affect Apple's iCloud platform, according to security researchers. At least one provided evidence that they were able to exploit the flaw.

A story in three parts #log4j pic.twitter.com/XMl02BcaJY

-- Cas van Cooten (@chvancooten)


The security researcher who did said that they alerted the vulnerability to Apple's product security team.

It isn't clear how this vulnerability could affect end users. However, Ars Technica reports that Minecraft gaming websites are already warning players that the flaw could allow attackers to gain remote access to their computers through the servers used to log them in.

Who's at risk, and how to protect yourself

Although the vulnerability appears to be wreaking havoc on Friday, the effects are mostly being felt in the enterprise sector. In other words, it's not up to end users to defend themselves against the vulnerability.

Engineers working in the programming subreddit suggested that major technology companies like Amazon have been working to fix the problem since late Thursday night.

Read on AppleInsider

Comments

  • Reply 1 of 18
    DoctorQDoctorQ Posts: 51member
    Ubiquiti has already updated their UniFi network controller this afternoon. PDQ!
    Anilu_777caladaniandewme
  • Reply 2 of 18
    Anilu_777Anilu_777 Posts: 527member
    Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out. 
  • Reply 3 of 18
    DAalsethDAalseth Posts: 2,783member
    Anilu_777 said:
    Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out. 
    Sounds like this is a server side issue. 
    GeorgeBMac
  • Reply 4 of 18
    sflocalsflocal Posts: 6,096member
    I'm interested to know if this means iCloud is built on Java?  Not much is out there (if at all) describing how Apple's back-end infrastructure is coded.
  • Reply 5 of 18
    coolfactorcoolfactor Posts: 2,243member
    sflocal said:
    I'm interested to know if this means iCloud is built on Java?  Not much is out there (if at all) describing how Apple's back-end infrastructure is coded.

    Part of iCloud may utilize Java on the server-side, but the platform as a whole won't be built using Java. Clients (your devices, your browsers) definitely does not need Java installed to access any part of iCloud.
  • Reply 6 of 18
    Fidonet127Fidonet127 Posts: 507member
    Just the Java versions of Minecraft are affected. The bedrock versions are fine. So mobile, console and Win10 versions are good. There is no bedrock version for Macs as Microsoft will not allow the iOS versions to run on ASi Macs. Java versions will not cross play with the bedrock versions. 
  • Reply 7 of 18
    magman1979magman1979 Posts: 1,293member
    Fidonet127 said:
    Just the Java versions of Minecraft are affected. The bedrock versions are fine. So mobile, console and Win10 versions are good. There is no bedrock version for Macs as Microsoft will not allow the iOS versions to run on ASi Macs. Java versions will not cross play with the bedrock versions. 
    OMFG, do everyone a favour and never speak of anything technical again! This is so incorrect, not funny...

    Go to ArsTechnica, read the two articles there, educate yourself.
    dewme
  • Reply 8 of 18
    crowleycrowley Posts: 10,453member
    Just the Java versions of Minecraft are affected. The bedrock versions are fine. So mobile, console and Win10 versions are good. There is no bedrock version for Macs as Microsoft will not allow the iOS versions to run on ASi Macs. Java versions will not cross play with the bedrock versions. 
    OMFG, do everyone a favour and never speak of anything technical again! This is so incorrect, not funny...

    Go to ArsTechnica, read the two articles there, educate yourself.
    https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
    The sites warned that hackers could execute malicious code on servers or clients running the Java version of Minecraft by manipulating log messages, including from things typed in chat messages. 
    Seems to largely corroborate what Fidonet127 said (possibly with a caveat about the server version, when playing online). Certainly no need for such an abrasive response.
    edited December 2021 Fidonet127equality72521michelb76muthuk_vanalingamjony0
  • Reply 9 of 18
    Fidonet127Fidonet127 Posts: 507member
    Just the Java versions of Minecraft are affected. The bedrock versions are fine. So mobile, console and Win10 versions are good. There is no bedrock version for Macs as Microsoft will not allow the iOS versions to run on ASi Macs. Java versions will not cross play with the bedrock versions. 
    OMFG, do everyone a favour and never speak of anything technical again! This is so incorrect, not funny...

    Go to ArsTechnica, read the two articles there, educate yourself.
    Paragraph 2 of the link Crowley posted points out it is only Java versions. This is a Java vulnerability, thus Java versions are affected. Bedrock versions are not built using Java, however they are built using c++. I read several articles on ArsTechnica and elsewhere. I run a bedrock server on an old Mac mini. I play a little bit on the bedrock versions just to play with my child. I have had to learn the differences. 
    muthuk_vanalingamjony0
  • Reply 10 of 18
    dewmedewme Posts: 5,372member
    Looks like another case of an API that doesn’t do sufficient input parameter validation. I’d bet there are still a lot of similar vulnerabilities lurking out there in libraries that are deemed to be fairly innocuous in function. The takeaway is that all code needs to be secure, not just the code that deals with what is thought be high value, secure, or privacy related data and functionality. 

    This one also runs counter to the assertion that open source is less susceptible to security issues because there are so many more eyes on the code. Apparently none of those eyes picked up on the flaw before the bad guys figured out how to weaponize it. Oh well.
    FileMakerFeller
  • Reply 11 of 18
    maciekskontaktmaciekskontakt Posts: 1,169member
    DAalseth said:
    Anilu_777 said:
    Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out. 
    Sounds like this is a server side issue. 
    Java is not client side issue for some time. JNLP was phased out and removed in newest Java versions so it runs on servers (well you can have desktop apps too using JavaFX, but not sure who still uses that). However, logging with Log4J is a security problem as you could log remotely to attached storage system with vulnerability.
  • Reply 12 of 18
    maciekskontaktmaciekskontakt Posts: 1,169member
    dewme said:
    Looks like another case of an API that doesn’t do sufficient input parameter validation. I’d bet there are still a lot of similar vulnerabilities lurking out there in libraries that are deemed to be fairly innocuous in function. The takeaway is that all code needs to be secure, not just the code that deals with what is thought be high value, secure, or privacy related data and functionality. 

    This one also runs counter to the assertion that open source is less susceptible to security issues because there are so many more eyes on the code. Apparently none of those eyes picked up on the flaw before the bad guys figured out how to weaponize it. Oh well.
    Not exactly true in this case. JNDI lookup problem. Actually Open Source is more secure as it is tested by many including security scientists. Log4J was tested for almost two  decades now. It was tested by many more than Apple entire code base. It is fundamental library for all enterprise (banks, BigTech like Amazon e.t.c.).
  • Reply 13 of 18
    maciekskontaktmaciekskontakt Posts: 1,169member
    Fidonet127 said:
    Just the Java versions of Minecraft are affected. The bedrock versions are fine. So mobile, console and Win10 versions are good. There is no bedrock version for Macs as Microsoft will not allow the iOS versions to run on ASi Macs. Java versions will not cross play with the bedrock versions. 
    All Java world that uses Log4J may e affected. It is not as simple. Almost all enterprises use Log4J for logging. To mimic that even .NET world used their port of it called Log4N. This is one of the most fundamental logging libraries run around the world. You will find it many more places than macOS running on computers around the world.
    FileMakerFeller
  • Reply 14 of 18
    maciekskontaktmaciekskontakt Posts: 1,169member
    Anilu_777 said:
    Wonder if there’ll be a 15.1.2 update to fix this or 15.2 will be accelerated to fix this. I’d go with the former with a new 15.2 RC just out. 
    You can work around it with just one parameter change and block the vulnerability. The problem is that older libraries had default value for this set to open vulnerability (JNDI Lookup).
    FileMakerFeller
  • Reply 15 of 18
    dewmedewme Posts: 5,372member
    dewme said:
    Looks like another case of an API that doesn’t do sufficient input parameter validation. I’d bet there are still a lot of similar vulnerabilities lurking out there in libraries that are deemed to be fairly innocuous in function. The takeaway is that all code needs to be secure, not just the code that deals with what is thought be high value, secure, or privacy related data and functionality. 

    This one also runs counter to the assertion that open source is less susceptible to security issues because there are so many more eyes on the code. Apparently none of those eyes picked up on the flaw before the bad guys figured out how to weaponize it. Oh well.
    Not exactly true in this case. JNDI lookup problem. Actually Open Source is more secure as it is tested by many including security scientists. Log4J was tested for almost two  decades now. It was tested by many more than Apple entire code base. It is fundamental library for all enterprise (banks, BigTech like Amazon e.t.c.).

    Thanks for the clarification. I read through the root cause analysis and took the following statement as indicative of insufficient input parameter validation:

    "Without careful user input filtering and strict input data sanitization, a blind trust of user input may lead to severe security issues"

    I realize that the "sanitization" process is very nontrivial considering the wide number of encoding formats the API and various lookup functions that the API can call as well, which in this case is the JNDI. I would still expect that all of the lookup option execution paths would have undergone some sort of fuzz testing for the specific lookup capability. Whether this would have uncovered vulnerabilities to very specific and expertly crafted (with deviant intent) input is unknown, but I believe there are many similar opportunities for this type of exploit in what are deemed to be "utility" libraries.


  • Reply 16 of 18
    dewmedewme Posts: 5,372member
    DoctorQ said:
    Ubiquiti has already updated their UniFi network controller this afternoon. PDQ!

    What is the new version? I have not seen a new update, at least for the version that runs on the CloudKey.
  • Reply 17 of 18
    OutdoorAppDeveloperOutdoorAppDeveloper Posts: 1,293member
    It seems odd that a server would run any unsigned bits of javascript code. This isn't your desktop that is being attacked. It is highly secure servers. For them to execute some new javascript that magically appeared on the system seems a bit suspicious. This is not aimed at Apple but server security in general but Apple should be leading by example. If code signing is a requirement for our Macs, it certainly should be for possibly dangerous code running on servers.
  • Reply 18 of 18
    crowleycrowley Posts: 10,453member
    OutdoorAppDeveloper said:
    It seems odd that a server would run any unsigned bits of javascript code. This isn't your desktop that is being attacked. It is highly secure servers. For them to execute some new javascript that magically appeared on the system seems a bit suspicious. This is not aimed at Apple but server security in general but Apple should be leading by example. If code signing is a requirement for our Macs, it certainly should be for possibly dangerous code running on servers.
    Java, not JavaScript.
    StrangeDays
Sign In or Register to comment.