What Is Log4j Vulnerability?

Logging has become a non-evitable part of every web application and server-based program. These special file types keep logs (i.e., records) of events or actions happening within the application.


Introduction

Logging has become a non-evitable part of every web application and server-based program. These special file types keep logs (i.e., records) of events or actions happening within the application. Log4i is also a Java-based logging library or utility that can work as an API. It gets distributed under the Apache Software License. On December 9, 2021, some reports surfaced about the zero-day vulnerability. They call it the Log4j (Log4Shell) vulnerability. It impacted Minecraft servers. A week later, researchers found that millions of devices are at risk due to this vulnerability. This article will describe what Log4j is, why Log4j vulnerability ranks among the worst, and what insight is needed to prevent this vulnerability.

What Is Log4j?

Log4j is a framework written in Java for logging operations on software applications. Ceki Gülcü is the creator of Log4j. The Log4j framework records events, errors, and routine app operations. It also transmits diagnostic messages related to system administrators and users. The Log4j project is under Apache Software Foundation. Apache Log4j version 2 is an advancement to Log4j, providing considerable improvements over its previous version, Log4j v1. The new version fixes some inherent issues in Log-back's architecture but is susceptible to RCE. Let us now discuss what Log4j vulnerability is.

What Is Log4j Vulnerability?

The Log4j exploit has become a widespread threat that allows attackers to compromise web-facing servers by injecting them with a malicious text string. Cybercriminals are leveraging a zero-day vulnerability in this open-source logging library. In December 2021, the U.S. Cybersecurity and Infrastructure Security Agency director, Jen Easterly, addressed this vulnerability as the most serious one of her career. According to Jen, persuaders have made hundreds of thousands or might be even a million attempts through this vulnerability.

How Does This Vulnerability Work?

The zero-day exploit is vulnerable where the Log4j processes log messages. By sending explicitly crafted messages to the server employing Log4j, an attacker can drive the system to load exterior malicious code. Such a type of attack is also called remote command execution. The exploit (CVE-2021-44228) leverages a Java API called the Java Naming and Directory Interface (JNDI) that allows clients to uncover and lookup data and objects through the name. The attackers can even store these objects in different locations or directory services using any of these methods: Lightweight Directory Access Protocol (LDAP), Remote Method Invocation (RMI), or through Domain Name Service (DNS).

Through this vulnerability, attackers can regulate log messages or log notification parameters on different versions of Log4j. This manipulation of log messages helps attackers run arbitrary code and takes complete control over any affected server using the Log4j framework. Attackers are also leveraging this vulnerability to deploy crypto miners and potentially other malware.

Where Did Log4j Get Detected for the First Time?

According to CBS News, a group of people from the Apache Software Foundation group got the alert on November 24 about the vulnerability. A cloud security team member of Alibaba discovered it for the first time. It came to the limelight when cybersecurity professionals shared a blog post about Minecraft leveraging this vulnerability in the first week of December. That blog alerted the gamers about the cybercrime detected through that flaw and infiltrations into their computers.

How to Prevent This Log4j Attack?

Organizations should do the following actions whether an attack is experienced or not. Start by searching the application logs to check if any RCE payload resides or not. If keywords like "ldap", "jndi", “$ {::” come during the search, you should further investigate as to whether it's a fingerprinting by security professionals or an actual attack. Here is a checklist of some standard prevention techniques you can use against Log4j vulnerability.

  • Enterprises should upgrade their existing Log4j version to Log4j version 2.16.0. It got officially released on December 13 by Apache. According to Apache, if any project is still leveraging the old version of Java, i.e., Java 7, they should immediately upgrade to Log4j 2.12.2.

  • Ensure that all your project or product dependencies, APIs, and libraries are fully patched.

  • Some well-known Web Application Firewall (WAF) vendors announced that their WAF could protect against the Log4j vulnerability. So, another good practice is to integrate these WAFs into your web applications and products.

  • If a software vendor developed or provided your application, it is always good to consult them to verify whether they got impacted by Log4j. If so, ask them if they have come up with a patch for the products.

Conclusion

Log4j is a critical vulnerability, and organizations should not ignore its impact on the overall security and data breaching abilities. Cybercriminals are still leveraging its benefits and exploiting applications that are still using the unpatched version of Log4j. However, if you believe that past behavior indicates future performance, then probably Log4j vulnerability will crop up in the coming years.

Language: English - Odia - Change