By: Prasanna Peshkar
January 19, 2022
Do You Think You Know What Log4J Is?
By: Prasanna Peshkar
January 19, 2022
Cyberspace is full of techno-innovations as well as vulnerabilities. Since December 10, security experts uncovered a crucial vulnerability called Log4Shell in servers backing the popular game Minecraft. Attackers have been developing numerous exploit attempts of the Log4j 2 Java library. This article is all about the Log4J vulnerability.
What is Log4J?
A Java library is simply a group of classes that have been already programmed or written by other programmers. To use these libraries, users have to download those classes, which can be used in the programming code.
Log4j is used for logging error messages in software applications. These applications include business applications, cloud applications, and networks. Additionally, it is utilized by numerous Java programs and applications developed in the last ten years for both server and client applications.
What Is Log4Shell: The Log4j Vulnerability?
Log4Shell is a vulnerability found in Apache Log4j 2. This Apache Log4j2 is one of the most widely used Java libraries for logging error messages in various software and enterprise applications. The vulnerability, published as CVE-2021-44228, allows attackers to manipulate or compromise any machine on the internet running a particular version of Log4j. For example, the internet-connected devices that run an Apache Log4j version from 2.0-to-2.14.1 are vulnerable to Log4Shell.
As mentioned earlier, this vulnerability allows attackers to compromise millions of machines across the internet. Additionally, if manipulated, the exposure authorizes remote code execution on weak servers, providing an attacker the power to insert malware that would comprehensively compromise devices.
The critical thing to notice here is that it is an open-source logging library employed by various applications and utilities in the internet world. As we all know, logging is a procedure where applications keep a functioning list of movements they have completed, which can subsequently be inspected in case of error. Almost every network security procedure conducts a logging function, which delivers widespread libraries like log4j a vast space.
In other words, this Log4Shell vulnerability gives hackers a straightforward path to run code on any vulnerable device. The issue was first noticed on the websites hosting popular game Minecraft servers. It was found that attackers could initiate the vulnerability by broadcasting chat text. A tweet from security research firm GreyNoise noted that the firm has already witnessed multiple servers exploring the internet for devices vulnerable to the exploit.
A threat actor simply pushes the application to keep a specific string of characters in the log to use it effectively. However, as applications usually log a vast scope of events, such as messages sent and accepted by users or the information of system errors, the exposure is straightforward to exploit and can be activated in different ways.
Who is affected by Log4J Vulnerability? Impact of Exploitation
As mentioned earlier, the security threat with Log4j has been named CVE-2021-44228 or Log4Shell or LogJam. In addition, it has been categorized among the most intense security threats, as it impacts all versions of Log4j. This means many software applications and services are vulnerable as many systems use the Log4j library.
Log4j is almost definitely a stake in the machines and applications they utilize online regularly for private users or individuals. Therefore, the most helpful thing they can accomplish to defend themselves is to make sure that their machines and applications are up-to-date.
Security professionals have marked the Log4J vulnerability (CVE-2021-44228) as one of the most critical and far-serious vulnerabilities to date. Big and small firms widely utilize the open-source, the library for regular log administration. With the vulnerability (CVE-2021-44228), threat actors can manipulate the software to start a Remote Code Execution (RCE) and other attacks. In addition, adversaries can also take benefit of the vulnerability to more precisely and efficiently undertake other cyberattacks.
How to mitigate this Vulnerability?
According to CISA's advisory, updating the impacted version to the latest version -- at the moment, 2.17.0 for Java 8 and more recent -- is the perfect approach to the weaknesses pinpointed so far: CVE-2021-44228, also comprehended as Log4Shell, which directs to remote code execution, CVE-2021-45046, and CVE-2021-45105, which can generate denial-of-service situations.
First, it is essential to discover internet-connected machines running Log4j and update them to the latest version or employ the mitigations delivered by vendors "instantly." But it also suggests configuring alerts for investigations or attacks on machines.
The Log4j utilizes a Java attribute named JNDI (Java Naming and Directory Interface) to authorize the loading of different Java objects during runtime implementation. The exploit used LDAP (Lightweight Directory Access Protocol), the most typical one.
One method to repair the vulnerability is to block JNDI text lookups, which Log4j 2.16.0 accomplishes. Yet, this can also be achieved by basically pulling out the whole JndiLookup class, which executes this functionality, from an impacted or a malicious Log4j package.
The following are some of the crucial steps suggested by the CISA to mitigate this threat:
Determining assets impacted by Log4Shell and other Log4j-based vulnerabilities.
Upgrading Log4j based applications and involved by-products to the most advanced version as soon as patches are public and staying alert to vendor updates.
Starting search and incident response techniques to find potential Log4Shell exploitation.
Assess and implement other mitigations.
Before any response plan is created and any previous mitigation approaches can be utilized, companies must first recognize all the applications and networks that could be weak to Log4j exploits. Unfortunately, that's not straightforward to accomplish, assuming that each application can contain its illustration of Log4j and could also pack it as a piece of some other third-party reliance.
As the security professionals continue to explore this vulnerability and its effect, it's conceivable that current mitigation techniques will be altered or abandoned. It's, hence, most beneficial to regularly review the Log4j project's security page and CISA advisory for any updates.