There are many articles in the news about this 10 out of 10 vulnerability. Here is a more recent one:
I reference to Chia, exchanges and pools would seem to be the most obvious possible targets for this exploit.
What other dangers does this exploit present to Chia farmers, traders, and crypto in general?
This affects Java-based applications only, but in the Java-World the vulnerable library is used by majority of applications making them potentially vulnerable.
Don’t think anybody implemented a Java-based Chia pool, but there might be exchanges unsing a Java backen.
It is in Apache code used by almost 1/3rd of servers on the internet. Yes it is technically Java code originally but it is part of the Apache code now and has been for years.
“It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across industry and government … Millions of servers have the logging tool installed, and experts said the fallout would not be known for several days.”
The exploit was first discovered (I think) by minecraft chatters using chat to inject strings into the log while using a Java platform.
You do not need the Java interface to inject strings into the Log4Shell logs. There are many ways of injecting a string into a server log.
Once the correct string is injected, “Anyone with the ability to exploit it can obtain full access to an unpatched computer that uses the software … The vulnerability, dubbed Log4Shell, was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the tool.”
@Aspy68 I looked into the details of this problems because if my professionell background. The Apache Software Foundation is sponsoring / managing many Java Open Source projects. This library is a Java library used in Java applications exclusively.
A lot of services are Java-based on server-side, so this definitely huge threat.
Agreed.
My describing it as Apache code was not quite correct. It is as you described above.
Many/most Apache servers (and other IT hardware and software) use java based server services including Log4Shell.