Log4j vulnerability is among the most dangerous security flaws in contemporary systems. Modern applications rely heavily on logging, and the Log4j logging library is the market leader in this domain. The majority of applications, services, and systems utilize this library. Therefore, all applications that utilize Log4j are affected by the Log4j vulnerability discovered last year. In response to rising global cybersecurity concerns, corporations and individuals are safeguarding their apps, systems, and data. And the discovery of this vulnerability added to the stress felt by professionals and businesses.
Detecting and resolving the Log4j vulnerability is essential if you wish to safeguard your data, network, reputation, and customers’ trust. In this article, I will define Log4j vulnerability and describe how to detect and fix it. Let’s begin by discussing Log4j and why you require it.
What Exactly Is Log4j ?
Log4j is a Java-based open-source logging utility that is primarily used to store, format, and publish logging records generated by applications and systems, as well as to check for errors. The records can be of various types, ranging from web page and browser data to technical information about the system on which Log4j runs. Instead of writing code from scratch, developers can incorporate the Log4j library’s code into their applications.
Using Log4j, developers can monitor all application-related events with accurate logging information. It helps them monitor applications, identify issues in a timely manner, and resolve issues before they become a performance and/or security issue.
This Java-based library was created by Ceki Gülcü and published under the Apache License 2.0 in 2001. It uses Java naming and Directory Interface (JNDI) services to enable Java-based applications to interact with other applications such as LDAP, DNS, CORBA, etc., and to provide naming and directory functionality for Java-based applications. Log4j consists of three components for its tasks:
- Loggers are to record logging data.
- Formats for formatting logging records in various styles
- Senders must distribute logging records to various destinations
Log4j is, in fact, one of the most well-known logging libraries on the Internet, and it is utilized by businesses in a variety of industries and countries. This logging library has been incorporated into numerous applications, including leading cloud services from Google, Microsoft, Apple, Cloudflare, Twitter, etc.
Its developer, the Apache Software Foundation, created Log4j 2 as an upgrade to Log4j in order to address issues found in earlier versions. A vulnerability was discovered in Log4j last year, which, if left unpatched, could allow attackers to compromise applications and systems, steal data, infect a network, and conduct other malicious acts.
Let’s understand it more.
What Is Log4Shell – the Log4j Vulnerability?
Log4Shell is a critical cybersecurity flaw in the Log4j library that compromises the library’s core functionality. Remote code execution enables an attacker to control an internet-connected device or application. When they achieve success, they can:
- Execute any code on the system or device
- Access the entire network and data
- Change or encrypt any file on the compromised application or device
This vulnerability was discovered by Alibaba security researcher Chen Zhaojun on November 24, 2021. (a Chinese eCommerce giant). The vulnerability was discovered by Alibaba’s cloud security team on December 9 and affected their Minecraft servers.
The National Institute of Standards and Technology (NIST) then published this vulnerability in the National Vulnerability Database under the designation CVE-2021-44228. The Apache Software Foundation then assigned this vulnerability a CVSS severity rating of 10. This is rarely assigned and is extremely severe because it has the potential to be widely and easily exploited, causing massive harm to organizations and individuals.
In response, Apache issued a patch for this vulnerability, but some parts remained unaddressed, resulting in additional vulnerabilities:
- CVE-2021-45046 which enabled DoS attacks through JNDI lookups.
- By interpreting a specially crafted string, CVE-2021-45105 allows hackers to control
- Thread Context Map information and cause DoS attacks.
- Remote Code Injection is impacted by CVE-2021-44832 in all Log4j 2 versions (RCE)
How does Log4SSH operate?
To comprehend its severity and the damage that Log4Shell can cause, it is necessary to comprehend how this Log4j vulnerability operates. A Log4Shell vulnerability allows an attacker to remotely inject arbitrary code into a network and assume full control of it.
This cyberattack sequence begins with a logging library, such as Log4j, accumulating and storing log data. If there is no logging library, all server data will be archived immediately after being collected. To analyze this data or take action based on specific log information, however, you will need a logging library to parse log data before it is archived.
Due to the Log4j vulnerability, any system or application that uses Log4j is susceptible to cyberattacks. Depending on the input, the logging library executes code. Due to the vulnerability, a hacker can force the log library to execute malicious code by manipulating the input.
In the meantime, numerous things occur in the background. When Log4j receives a specially formatted string, it will invoke an LDP server and download the code from its directory before executing it. In this manner, attackers can create an LDAP server to store malicious code, allowing them to exert control over any server on which the code is executed. The malware will then send a string containing their malicious code to a targeted application or system and seize control of it.
Thus, the Log4j vulnerability can be exploited as follows:
- An attacker discovers a server running a vulnerable version of Log4j.
- They will send a get request containing the link to their malicious LDAP server.
- Instead of verifying the request, the target server will connect directly to this LDAP server.
- The attackers will now send an LDAP server response containing malicious code to the targeted server. Due to the Log4j vulnerability that allows code to be received and executed without verification, a hacker can exploit this flaw to compromise the target server and exploit connected systems, networks, and devices.
How do Log4j vulnerabilities affect users?
Log4j is used in a vast array of software applications and systems, making its vulnerability concerning. Log4j is utilized in a variety of software systems due to the fact that logging is an essential component of most software applications and Log4j is a market-leading solution.
Minecraft, AWS, iCloud, Microsoft, Twitter, internet routers, software development tools, security tools, and other popular services and applications use Log4j. Therefore, attackers can target a large number of applications, services, and systems belonging to home users, code developers, service providers, and other professionals and individuals in related fields.
In addition, exploiting the Log4j vulnerability is extremely straightforward. To execute an attack requires fewer skill sets, and not those of an expert. Consequently, the number of exploits of this vulnerability is increasing.
The effects of the Log4j flaw are:
- DoS attacks
- Supply chain intrusions
- Coin mining
- Malware injections such as ransomware and trojan horses
- Arbitrary code injection
- Remote code execution
As a result of these attacks, you can lose hold of your applications, systems, and devices, and your data can fall prey to the attackers who may sell your data, manipulate it, or expose it to the outside world. Hence, your business can be harmed in terms of customer data privacy, trust, organization’s secrets, and even your sales and revenue, let alone the compliance risks.
According to a report, over 40% of global corporate networks have experienced attacks due to this vulnerability. So, even if you don’t use any vulnerable Log4j versions in your applications, your third-party integrations might be using it, which makes your app vulnerable to attacks.
Note that all Log4j versions before Log4j 2.17.0. are impacted; hence, you must upgrade the logger if you use it. Also, famous vendors that are impacted by this Log4j vulnerability are Adobe, AWS, IBM, Cisco, VMware, Okta, Fortinet, etc. If you use any of them, monitor your apps continuously and use security systems to fix issues as soon as it arises.
How to Detect Log4j Affected Programs and Fix the Issues?
Log4Shell vulnerability has a 10 in the CVSS score. Hence, all the issues in Log4j are not patched yet. But it’s a chance that you or your third-party vendor might be using Log4j, which you have used in your application. Hence, if you want to protect your data, systems, and network, ensure you follow some remediation steps.
1. Update Your Log4j Version
Updating your current Log4j version to Log 4j 2.17.1 is the most effective remediation technique if you want to protect your device and apps from attacks as a result of the Log4j vulnerability.
Log4Shell is a type of zero-day attack that can potentially affect your software ecosystem. Apache has fixed some of the vulnerabilities in recent versions, but if your system was compromised before the upgrade, you are still at risk.
Hence, assuming this, you must not only upgrade the version but also start your incident response procedures immediately to ensure no vulnerabilities are there in your systems and apps and mitigate the attacks. You must also review all your server logs to find Indicators of Compromise (IOC) and constantly monitor your systems and network.
2. Use the Latest Firewalls and Security Systems
Firewalls such as Web Application Firewall (WAF) and next-generation firewalls can help secure your network perimeter from attackers by scanning incoming and outgoing data packets and blocking suspicious ones. So, use the latest firewalls in your network and set strict outgoing rules on your servers to help prevent attacks associated with Log4j vulnerability.
Although attackers can bypass firewalls, you will still get some degree of security with firewalls that can block an attacker’s requests. In addition, update all your security systems, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), etc., with the latest signatures and rules. These systems will help block or filter RMI and LDAP traffic from connecting to a malicious LDAP server.
3. Implement MFA
Setting up multi-factor authentication (MFA) in your applications and system will provide better security from attackers. It will provide a second layer of security even if an attacker manages to break the first layer. You can do it through biometrics like fingerprints, iris scanning, etc., setting a security question, or enabling a security PIN.
Using MFA will increase the attackers’ difficulty and time to perform a full-blown attack. In the meantime, it can also inform you of the incident immediately so that you can take necessary remediation steps when you still have time. In addition, you must also apply strict VPN policies to reduce data breaches. This will enable the users to access your systems securely from anywhere without the fear of attackers.
4. Change System Properties
In case you cannot upgrade to the latest version of the Log4j library, you must change your java system properties immediately if you use a version ranging from Log4j 2.10 to Log4j 2.14.1. You must set it in such a way to prevent lookups that attackers use to detect the vulnerabilities and then find ways to exploit them.
5. Remove JNDI
The reason for this critical security vulnerability lies in its design. The JNDI Lookup plugin has a design flaw through which attackers can perform an attack. JNDI is used for code execution based on the input data in its log, which anyone can manipulate easily since the logger accepts any request without verification.
Security researchers have found that this plugin has always been permitting unparsed data since it was released in 2013 and sends it to the Log4j library.
Therefore, the Log4j vulnerability is prone to exploitation with a simple string injection. Once the attacker injects it, the logger will accept the operation requested in the string and execute it instantly without verification. So, if you want to secure your systems and application, you must disable the class – JndiLookup. This will prevent the logger from taking action based on log data.
In fact, JNDI lookup is already disabled in Log4j 2.16.0 by default in an attempt to secure your applications and systems. So, if you are using a Log4j version lower than 2.16.0, ensure you have disabled JNDI Lookup.
6. Talk to Your Vendors
If you have got everything right, your firewalls and security systems updated, Log4j version updated, JNDI Lookup disabled, etc., don’t relax just yet. Even if you don’t use a vulnerable Log4j version in your applications, your third-party vendors might be using it. So, you will never know how your application or system got hacked because the real issue was with your third-party integration.
Therefore, talk with your vendors and ensure they too have upgraded Log4j to the latest version and implemented other security practices discussed above.
7. Use a Log4j Vulnerability Scanner
There are many Log4j vulnerability scanning tools available in the market to make it easy for you to detect Log4j vulnerabilities in your systems and applications. So, when you look for these tools, check their accuracy rates since many of them generate false positives.
Also, find a tool that can cater to your needs because they may focus on identifying Log4j vulnerability, reporting the exposure, and remediating the vulnerability. So, if your focus is detection, find a Log4j vulnerability scanner that can detect the issue or use the one that can detect and remediate the issue.
Some of the best Log4j scanning tools are:
Microsoft 365 Defender: Microsoft offers a range of security solutions and tools to help you detect and prevent Log4j exploits in your network. You will be able to spot remote code execution and exploitation attempts, safeguarding you from Log4j vulnerabilities in Windows and Linux devices.
Amazon Inspector and AWS: Amazon has created a scanning tool to find Log4j vulnerability in Amazon EC2 instances and Amazon ECR.
CloudStrike Archive Scan Tool (CAST): CloudStrike has also created an excellent scanning tool to detect Log4j vulnerability to help you get fix issues on time before attackers can exploit it.
Google Cloud Logging detection: Google’s cloud logging detection solution allows you to detect Log4j exploits using the Logs Explorer. You can create a log query in this tool and scan for potential exploit strings. Google also has created log4jscanner, an open-source file system scanner for detecting Log4j vulnerability.
BurpSuite Log4j Scanner: This is a security plugin for professionals and enterprises to help them detect Log4j vulnerability.
Huntress Log4Shell Vulnerability Tester: This tool generates a unique identifier at random that you can use while testing your input fields. Upon finding a vulnerability in the application or input field, its secure LDAP server will terminate the malicious connection instantly and keep you safe.
WhiteSource Log4j Detect: WhiteSource has created a free CLI tool, WhiteSource Log4j Detect, hosted on GitHub to help you detect and fix Log4j vulnerabilities – CVE-2021-445046 and CVE-2021-44228.
JFrog Open-Source Scanning tools for Log4j: JFrog has created various open-source solutions and tools to find Log4j vulnerabilities in your binaries and source code.
Log4j vulnerability is a critical security issue. Since this logging library is used widely in various applications and systems, the Log4j vulnerability has become widespread, allowing attackers to exploit a wide range of systems and apps.
So, if you want to protect your systems and applications from this vulnerability, ensure you upgrade the Log4j library to the latest version and implement the best security practices discussed above.