Apache Log4j 2 Vulnerability – What You Need to Know?
Written by Harini Krish
Lead Technical Content WriterUntil a few days ago, many people would not have known the Log4j2 software. However, this little-known module is frequently used by other larger software, which means it is found in many products and locations.
What is Apache Log4J?
Apache Log4j is a section of the Apache Logging Project. In general, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it.
Log4j is developed by the Apache Foundation and used in thousands of applications, including the Apache Struts code. It impacts Cloudflare, Minecraft, Twitter, Apple, and many of the largest tech companies in the world. This vulnerability, and corresponding public exploits, are being actively exploited in the wild by abusing the Java Naming and Directory Interface (JNDI), a Java API used by the Java programming language.
Various information security news reported on the critical vulnerability CVE-2021-44228 in the Apache Log4j library. Loads of Java applications use this library to log error messages. To make issues worse, attackers are now actively exploiting this exposure.
What is Vulnerability, and Why is it Challenging?
Log4j is a logging library found in many Java applications, and the vulnerability is a result of how Log4j processes log messages.
It allows the use of “lookup” features, where the user providing data to be logged can indicate where the content of the data comes from. For example, it can be a call to a remote server instead of a simple string. That lets attackers to inject calls to malicious servers that host malware or instruction to leak sensitive information (access tokens) to attacker-controlled servers.
These remote calls are enabled by a Java feature called Java Naming and Directory Interface (JNDI), which supports protocols such as the Lightweight Directory Access Protocol (LDAP), Domain Name System (DNS), Remote Method Invocation (RMI), and Common Object Request Broker Architecture (CORBA). Technically, an exploit is a string of the form ${jndi:
Many Internet-facing machines, such as web servers, accept user input that is logged by a backend running Log4j without sanitization. That often happens even if the webserver itself does not run Log4j, but some business applications use information from the user via the webserver. This allows attackers to inject the malicious strings via HTTP requests, for instance, which is the biggest attack surface observed so far.
There are two complex factors for this vulnerability. First, Log4j is not a single vulnerable application but an extensively used component in products ranging from databases to web conferencing systems. Thus, identifying vulnerable assets in a network is tricky. Next, attackers find many ways to conceal exploits, so understanding if and how your organization is or was attacked is not easy.
Recommended Solutions
Ultimately, the impacted software must be patched by the vendor, but alternate actions can be taken, and recommended solutions are listed in order of default preference:
- Patch the vulnerable software immediately, should one exist.
- In certain circumstances, the software may be protected via reconfiguring the default behavior for log4j.
- Shut down the service down until a patch is available.
- This is an extreme measure, but the truth is this vulnerability leads to total loss of control to the box from a malicious third party, which would impact everything around it. That would be a much greater issue than the downtime of a single service.
- Limit the scope of access to the software – the software should be made accessible by only trusted internal business users. This does not resolve the risk but largely reduces execution scope to actors inside the network.
Vendor patches should be applied to mitigate potential attacks that might exploit Log4Shell. Join us for a Webinar on how to remediate such attacks as our expert briefs you on the discovery, detection, and protection for Log4Shell. For more information, you can email us at [email protected] or visit www.royalcyber.com.