Vulnerabilities are being discovered every single day. While most of the vulnerabilities are not so serious, there are some that deserve our full attention. Such is the case with the Log4j vulnerability. On December 9th, 2021, the Log4j vulnerability was publicly disclosed following a month of remediation work by the affected vendor. This new vulnerability is in the Apache Log4j library, hence the name. The official name of the vulnerability is CVE-2021-44228 and has received a CVSSv3 score of 10/10 because of its ease of exploitation.
What is the Log4j vulnerability? Who does it affect and why is it being called the most significant vulnerability in the last decade?
What is the Log4j vulnerability?
Log4j is an add-on Apache library. Log4j is very popular among application developers because it is considered one of the easiest and most robust libraries for performing logging – which end-user did what, when, how, where from, etc.
The vulnerability—affecting versions 2.0-beta9 to 2.14.1 of the library—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the vulnerability description, affected versions of Log4j contain JNDI features—such as message lookup substitution—that “do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints.”
The cloud security team at Alibaba discovered the vulnerability in November 2021 and told Apache. They worked together to ensure a fix was available before the public release of the vulnerability details.
FC explains in a blog for Cygenta: “What the Alibaba team discovered is a flaw in the way that Log4j works. The purpose of a logger is to record things; generally, the logger just takes what happens and writes it down. However, what Log4j does is that it uses variables to fill in some data, say the time or date which can be injected into the log command. This use of a variable is something all programming uses, but it must be done carefully especially if it takes in data from an end-user (a possible attacker!).”
CISA noted in their advisory bulletin that “An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.”
FC provides a more technical view of the potential attack exploiting the vulnerability:
- The attacker injects JNDI lookup into a field that is likely to be logged e.g. User-Agent.
- The string is passed to Log4j for logging
- Log4j sees the string and queries a malicious LDAP server under attacker control
- The LDAP server responds with malicious code
- Log4j runs the malicious code
Why is this a scary vulnerability?
The Log4j vulnerability is so scary resulting in the internet panicking because the affected library is so prevalent. Log4j has become the most popular logging framework in the Java ecosystem and gets used by millions of applications.
Steam, Apple iCloud, and Minecraft are among the applications affected by the vulnerability. Open-source projects like ElasticSearch, Elastic Logstash, Redis, and the NSA’s Ghidra also use the library. And the list goes on. CISA has published on its GitHub repository a list of the affected vendors. According to Graham Cluley, “In fact, over 250 vendors have already issued security advisories and bulletins about how Log4Shell impacts their products.”
“An attacker can use this vulnerability to construct a special data request packet, which eventually triggers remote code execution. Due to the wide range of impact of this vulnerability, users are advised to investigate related vulnerabilities on time.” reads the blog published by the Alibaba Cloud security team. “After analysis and confirmation by the White Hat Security Research Institute, there are currently many popular systems on the market that are affected. Almost every tech giant is the victim of this Log4j Remote Code Execution vulnerability.”
Within hours of the disclosure, cyber attackers were already making hundreds of thousands of attempts to exploit the critical Log4j vulnerability to spread malware and access networks. “Given the scale of affected devices and exploitability of the bug, it’s highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors,” said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “Organizations are advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications.”
Will this vulnerability impact Critical National Infrastructure?
Cybersecurity researchers have warned that it could have significant implications for operational technology (OT) networks that control industrial systems – and for a long time.
“Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come,” said a blog post by cybersecurity researchers at Dragos.
To help their industrial customers, Nozomi Networks has provided an analysis of the vulnerability and has “set up a honeypot to monitor the situation and became aware of all potential global scans and exploitation attempts.”
“Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors,” advises Sergio Caltagirone, vice president of threat intelligence at Dragos.
Researchers suggest that applying the Log4j patch can help prevent attackers from taking advantage of the vulnerability – although the ubiquitous nature of Log4j means that in some cases, network operators might not even be aware that it’s something in their environment which they have to think about.
What should organizations do?
CISA has provided a comprehensive list of actions that all organizations must take to mitigate the vulnerability.
- Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround
- Apply available patches immediately. Prioritize patching, starting with mission-critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
- Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
Log4j vulnerability is just another example of a case where you need to have a robust, ready-for-action team that can handle any unpredictable threats on your premises. If you’re looking to assess or reinforce your security posture, don’t hesitate to contact ITEGRITI.