Apple iCloud, Twitter, Cloudflare, Minecraft, and Steam are reportedly vulnerable to a zero-day exploit affecting a popular Java logging library. The vulnerability, dubbed "Log4Shell" by LunaSec researchers and attributed to Chen Zhaojun of Alibaba, was discovered in Apache Log4j, an open source logging utility used in a wide range of apps, websites, and services.
Log4Shell was discovered in Microsoft-owned Minecraft, but LunaSec warns that due to Log4j's "ubiquitous" presence in almost all major Java-based enterprise apps and servers, "many, many services" are vulnerable to this exploit. The cybersecurity firm warned in a blog post that anyone who uses Apache Struts is "likely vulnerable."
Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent, and Elastic are among the companies whose servers have been confirmed to be vulnerable to the Log4Shell attack so far, though there are likely hundreds, if not thousands, of other organisations affected. Cloudflare said in a statement to TechCrunch that it has updated its systems to prevent attacks and that it has found no evidence of exploitation.