Critical RCE Zero-Day Exploit Found in Popular Java Logging Library log4j
Situation
A critical RCE (aRbitrary Code Execution) has been found in log4j, a popular logging tool. This vulnerability is severe and affects every server running Java.
Problem
This vulnerability affects any Java application using log4j. An attacker can send a string to the server and the server will execute code hosted at the address.
Implication
This attack is extremely easy to execute and many popular products are affected such as Minecraft, Steam, iCloud, and much more.
JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are currently not affected by the primary attack vector (LDAP) but there are other attack vectors in use.
Need
It is advised to update servers running Java or log4j ASAP. The update for log4j can be found here: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
There are also ways to mitigate the issue if patching is not available.
For a more technical overview: