What is Log4J?
The Apache Log4j is an open-source java library created and supported by the illustrious Apache Software Foundation(ASF). Log4j is one of the prominent components used to develop modern software applications. It is a logging library used by developers to track their software applications or online services. It also stores vast journals of the activities incurred in a software application, referred to as logging. This tool facilitates the developers to find out the activities and incidents that cause application abnormalities. This tool has been widely used by open-source products and large commercial entities like Amazon, Apple, Microsoft, IBM, Netflix, SAP, Siemens, etc.
What is Log4Shell vulnerability?
“Log4shell” is a recently found highly critical zero-day vulnerability in the Log4j logging tool, and It is tracked as “CVE-2021-44228”. The Alibaba Security Team first discovered and reported the Log4Shell vulnerability in late November 2021. The volunteer groups of ASF have also started throwing some warnings post that discovery. Later, Microsoft’s Minecraft game-makers has publicly announced that their game is prone to this vulnerability and released the software patches to fix it. But the cyber-security researchers are worrying that this issue is more complicated than it seems. Since then, the security companies and product owners have been burning their night oil to fix this issue before leading to a more catastrophic scenario.
How does the exploitation work?
Many hacking groups had begun to compromise vulnerable targets by exploiting Log4Shell vulnerability. Remote Code Execution (RCE) is the most preferred cyber-attack to exploit this vulnerability. The evil groups scan the internet to find vulnerable targets and set up machines to deliver malicious payloads. They achieve this by shooting malicious requests to a system that uses Log4j and Log4j processes them as instructions. Poor lookup and input validation methods in the Log4j library make this possible. This severe vulnerability can help cyber criminals perform data exfiltration, system credential thefts, infrastructure compromising, and even ransomware execution.
>How can you secure your systems?
The magnitude of this vulnerability is very substantial because of the extensive usage of the Log4J library across multiple software applications. Finding the right solution for this issue is likely to take weeks or months for larger organizations. We want to share some early-stage measures to safeguard your software applications using the Log4J library.
● Before implementing any fix, it is essential to identify all the applications and systems vulnerable to Log4j exploits. This helps in classifying the affected and preventing other logs.
● The best solution to prevent the vulnerability is to upgrade Log4J to the latest and upgraded version. This will help remove the risk from code execution. All the versions below 2.16.0 are vulnerable and must be taken care of. The updated versions are Log4j v.2.17.0 for Java 8 or later and Log4j v.2.12.2 if you use Java 7 for your web app infrastructure.
● After identifying issues with their previous release, Apache has released the 2.17.0 version of the patch for Log4j. This solves the denial of service vulnerability, thus reducing the severity.
● Some Web Application Firewall providers have already declared that they protect against this vulnerability. However, WAFs might not take notice of the attempt to exploit since payloads are being reformatted now and then.
● The open-source communities and cybersecurity research companies are encouraged to strengthen security practices and enable automated dependency updates and add security mitigations to overcome this vulnerability. We share a few beneficial blogs below to help you safeguard your system from exploitation.
Ø Microsoft Threat Intelligence Center (MSTIC)’s Blog
Ø Owasp Core Rule Set
We hope this blog helped you understand log4shell vulnerability better and equip yourself to prevent exploitation.