Log4j vulnerability is amongst the deadliest security issues in modern systems.
Logging is a key feature in modern applications, and the logging library, Log4j, is a leader in this space.
This library is used in most applications, services, and systems. Hence, all those applications where Log4j is used are all affected by this Log4j vulnerability found last year.
With increasing cybersecurity concerns worldwide, organizations and individuals are taking steps to safeguard their applications, systems, and data.
And when this vulnerability was discovered, it stressed out professionals and businesses even more.
Hence, detecting the Log4j vulnerability and fixing it is essential if you want to protect your data, network, reputation, and customer trust.
In this article, I’ll discuss what Log4j vulnerability is, along with the steps to detect and fix it.
Let’s start by understanding Log4j and why you need it.
What Is Log4j?
Log4j is an open-source logging utility written in Java that is mainly used to store, format, and publish logging records generated by applications and systems and then check for errors. The records can be of various types, from a web page and browser data to a system’s technical details where Log4j runs.
Instead of writing code from scratch, developers can use the Log4j library by integrating its code into their apps.
Using Log4j, developers can track all the events associated with their applications with accurate logging information. It helps them monitor applications, spot issues on time, and fix issues before they can turn into a bigger problem in terms of performance and/or security.
This Java-based library was written by Ceki Gülcü and was released in 2001 under Apache License 2.0. It utilizes Java naming and Directory Interface (JNDI) services to allow apps to interact with other apps like LDAP, DNS, CORBA, etc., and get a directory and naming functionality for Java-based applications. Log4j has three components to perform its tasks:
- Loggers to capture logging records
- Layouts to format logging records in different styles
- Appenders to publish logging records to different destinations
Log4j is, in fact, one of the most famous logging libraries on the web and is used by organizations from multiple industries and countries. They have integrated this logging library in plenty of applications, including top cloud services by Google, Microsoft, Apple, Cloudflare, Twitter, etc.
Its developer, Apache Software Foundation, developed Log4j 2, an upgrade to Log4j to address the issues found in the earlier releases. Last year, a vulnerability was found in Log4j, which, when left unaddressed, can allow attackers to break into applications and systems, steal data, infect a network, and perform other malicious activities.
Let’s understand it more.
What Is Log4Shell – the Log4j Vulnerability?
Log4Shell is a critical cybersecurity vulnerability on the Log4j library, which affects the core functioning of the library. It allows an attacker to control an internet-connected device or application by performing remote code execution. When they are successful at it, they can:
- Run any code on the device or system
- Access all network and data
- Modify or encrypt any file on the affected app or device
This vulnerability was first reported on November 24, 2021, by Chen Zhaojun, a security researcher at Alibaba (a Chinese eCommerce giant). The vulnerability affected their Minecraft servers, which Alibaba’s cloud security team discovered on December 9.
Next, the NIST published this vulnerability in the National Vulnerability Database and named it CVE-2021-44228. Apache Software Foundation then rated this vulnerability a 10 in CVSS severity. This is rarely assigned and is heavily severe since it has the potential of getting exploited widely and easily, leading to massive damage for organizations and individuals.
Apache, in response, issued a patch for this vulnerability but still, some parts were left unaddressed, leading to other vulnerabilities:
- CVE-2021-45046 that facilitated Denial of Service (DoS) attacks through JNDI lookups
- CVE-2021-45105 to allow hackers to control Thread Context Map information and cause DoS attacks by interpreting a crafted string
- CVE-2021-44832 impacts all Log4j 2 versions via Remote Code Injection (RCE)
How Does Log4Shell Work?
To understand its severity and how much harm Log4Shell can do, it’s pertinent to learn how this Log4j vulnerability works.
Log4Shell vulnerability lets an attacker remotely inject any arbitrary code into a network and gain complete control over it.
This cyberattack sequence starts with the logging library, such as Log4j, collecting and storing log information. If there’s no logging library, all data from the server will be archived instantly after the data is collected.
But if you want to analyze this data or need to take some actions based on specific log information, you will require a logging library to parse log data before it’s archived.
Due to the Log4j vulnerability, any system or app using Log4j becomes vulnerable to cyberattacks. The logging library executes code based on the input. A hacker can force the log library to execute harmful code since the vulnerability will allow them to manipulate the input.
Meanwhile, a lot of things happen in the background. When Log4j is passed a specifically crafted string, it will invoke an LDP server and download that code hosted in its directory in order to execute the code. This way, attackers can create an LDAP server to store malicious code that can help them control any server where the code is executed. It will then send a string directing their malicious code to a targeted app or system and take full control of it.
So, this is how Log4j vulnerability can be exploited:
- An attacker finds a server with a vulnerable Log4j version.
- They will send the targeted server a get request with their malicious LDAP server’s link.
- The targeted server, instead of verifying the request, will directly connect to this LDAP server.
- The attackers will now send the targeted server with an LDAP server response containing malicious code. Due to Log4j’s vulnerability, which allows receiving the code and executing it without verification, the hacker can leverage this weakness to break into the target server and exploit connected systems, networks, and devices.
How Can Log4j Vulnerability Harm Users?
Log4j vulnerability is concerning since it is used in a wide range of software applications and systems.
Since logging is an essential feature in most software apps and Log4j is a leading solution in the space, Log4j finds applications in a variety of software systems.
Some of the popular services and apps using Log4j are Minecraft, AWS, iCloud, Microsoft, Twitter, internet routers, software development tools, security tools, and so on. Hence, attackers can target a large number of applications, services, and systems from home users, code developers, service providers, and other related professionals and individuals.
In addition, the Log4j vulnerability is extremely easy for an attacker to exploit. The overall process requires fewer skill sets, not expert-level, to carry out an attack. This is why the number of attacks exploiting this vulnerability is increasing.
The impact of Log4j vulnerability are:
- DoS attacks
- Supply chain attacks
- Coin mining
- Malware injections such as ransomware and trojan horses
- Arbitrary code injection
- Remote code execution
And more.
As a result of these attacks, you can lose hold of your applications, systems, and devices, and your data can fall prey to the attackers who may sell your data, manipulate it, or expose it to the outside world. Hence, your business can be harmed in terms of customer data privacy, trust, organization’s secrets, and even your sales and revenue, let alone the compliance risks.
According to a report, over 40% of global corporate networks have experienced attacks due to this vulnerability.
So, even if you don’t use any vulnerable Log4j versions in your applications, your third-party integrations might be using it, which makes your app vulnerable to attacks.
Note that all Log4j versions before Log4j 2.17.0. are impacted; hence, you must upgrade the logger if you use it. Also, famous vendors that are impacted by this Log4j vulnerability are Adobe, AWS, IBM, Cisco, VMware, Okta, Fortinet, etc. If you use any of them, monitor your apps continuously and use security systems to fix issues as soon as it arises.
How to Detect Log4j Affected Programs and Fix the Issues
Log4Shell vulnerability has a 10 in the CVSS score. Hence, all the issues in Log4j are not patched yet. But it’s a chance that you or your third-party vendor might be using Log4j, which you have used in your application.
Hence, if you want to protect your data, systems, and network, ensure you follow some remediation steps.
#1. Update Your Log4j Version
Updating your current Log4j version to Log 4j 2.17.1 is the most effective remediation technique if you want to protect your device and apps from attacks as a result of the Log4j vulnerability.
Log4Shell is a type of zero-day attack that can potentially affect your software ecosystem. Apache has fixed some of the vulnerabilities in recent versions, but if your system was compromised before the upgrade, you are still at risk.
Hence, assuming this, you must not only upgrade the version but also start your incident response procedures immediately to ensure no vulnerabilities are there in your systems and apps and mitigate the attacks. You must also review all your server logs to find Indicators of Compromise (IOC) and constantly monitor your systems and network.
#2. Use the Latest Firewalls and Security Systems
Firewalls such as Web Application Firewall (WAF) and next-generation firewalls can help secure your network perimeter from attackers by scanning incoming and outgoing data packets and blocking suspicious ones. So, use the latest firewalls in your network and set strict outgoing rules on your servers to help prevent attacks associated with Log4j vulnerability.
Although attackers can bypass firewalls, you will still get some degree of security with firewalls that can block an attacker’s requests.
In addition, update all your security systems, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), etc., with the latest signatures and rules. These systems will help block or filter RMI and LDAP traffic from connecting to a malicious LDAP server.
#3. Implement MFA
Setting up multi-factor authentication (MFA) in your applications and system will provide better security from attackers. It will provide a second layer of security even if an attacker manages to break the first layer. You can do it through biometrics like fingerprints, iris scanning, etc., setting a security question, or enabling a security PIN.
Using MFA will increase the attackers’ difficulty and time to perform a full-blown attack. In the meantime, it can also inform you of the incident immediately so that you can take necessary remediation steps when you still have time.
In addition, you must also apply strict VPN policies to reduce data breaches. This will enable the users to access your systems securely from anywhere without the fear of attackers.
#4. Change System Properties
In case you cannot upgrade to the latest version of the Log4j library, you must change your java system properties immediately if you use a version ranging from Log4j 2.10 to Log4j 2.14.1.
You must set it in such a way to prevent lookups that attackers use to detect the vulnerabilities and then find ways to exploit them.
#5. Remove JNDI
The reason for this critical security vulnerability lies in its design. The JNDI Lookup plugin has a design flaw through which attackers can perform an attack.
JNDI is used for code execution based on the input data in its log, which anyone can manipulate easily since the logger accepts any request without verification.
Security researchers have found that this plugin has always been permitting unparsed data since it was released in 2013 and sends it to the Log4j library.
Therefore, the Log4j vulnerability is prone to exploitation with a simple string injection. Once the attacker injects it, the logger will accept the operation requested in the string and execute it instantly without verification.
So, if you want to secure your systems and application, you must disable the class – JndiLookup. This will prevent the logger from taking action based on log data.
In fact, JNDI lookup is already disabled in Log4j 2.16.0 by default in an attempt to secure your applications and systems.
So, if you are using a Log4j version lower than 2.16.0, ensure you have disabled JNDI Lookup.
#6. Talk to Your Vendors
If you have got everything right, your firewalls and security systems updated, Log4j version updated, JNDI Lookup disabled, etc., don’t relax just yet.
Even if you don’t use a vulnerable Log4j version in your applications, your third-party vendors might be using it. So, you will never know how your application or system got hacked because the real issue was with your third-party integration.
Therefore, talk with your vendors and ensure they too have upgraded Log4j to the latest version and implemented other security practices discussed above.
#7. Use a Log4j Vulnerability Scanner
There are many Log4j vulnerability scanning tools available in the market to make it easy for you to detect Log4j vulnerabilities in your systems and applications.
So, when you look for these tools, check their accuracy rates since many of them generate false positives. Also, find a tool that can cater to your needs because they may focus on identifying Log4j vulnerability, reporting the exposure, and remediating the vulnerability.
So, if your focus is detection, find a Log4j vulnerability scanner that can detect the issue or use the one that can detect and remediate the issue.
Some of the best Log4j scanning tools are:
- Microsoft 365 Defender: Microsoft offers a range of security solutions and tools to help you detect and prevent Log4j exploits in your network. You will be able to spot remote code execution and exploitation attempts, safeguarding you from Log4j vulnerabilities in Windows and Linux devices.
- Amazon Inspector and AWS: Amazon has created a scanning tool to find Log4j vulnerability in Amazon EC2 instances and Amazon ECR.
- CloudStrike Archive Scan Tool (CAST): CloudStrike has also created an excellent scanning tool to detect Log4j vulnerability to help you get fix issues on time before attackers can exploit it.
- Google Cloud Logging detection: Google’s cloud logging detection solution allows you to detect Log4j exploits using the Logs Explorer. You can create a log query in this tool and scan for potential exploit strings.
- Google also has created log4jscanner, an open-source file system scanner for detecting Log4j vulnerability.
- BurpSuite Log4j Scanner: This is a security plugin for professionals and enterprises to help them detect Log4j vulnerability.
- Huntress Log4Shell Vulnerability Tester: This tool generates a unique identifier at random that you can use while testing your input fields. Upon finding a vulnerability in the application or input field, its secure LDAP server will terminate the malicious connection instantly and keep you safe.
- WhiteSource Log4j Detect: WhiteSource has created a free CLI tool, WhiteSource Log4j Detect, hosted on GitHub to help you detect and fix Log4j vulnerabilities – CVE-2021-445046 and CVE-2021-44228.
- JFrog Open-Source Scanning tools for Log4j: JFrog has created various open-source solutions and tools to find Log4j vulnerabilities in your binaries and source code.
Conclusion
Log4j vulnerability is a critical security issue. Since this logging library is used widely in various applications and systems, the Log4j vulnerability has become widespread, allowing attackers to exploit a wide range of systems and apps.
So, if you want to protect your systems and applications from this vulnerability, ensure you upgrade the Log4j library to the latest version and implement the best security practices discussed above.
