{"id":3094,"date":"2021-12-15T14:54:39","date_gmt":"2021-12-15T14:54:39","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=3094"},"modified":"2021-12-15T15:05:03","modified_gmt":"2021-12-15T15:05:03","slug":"making-sense-of-the-log4j-vulnerability","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2021\/managed-services\/making-sense-of-the-log4j-vulnerability\/","title":{"rendered":"Making Sense of The Log4j Vulnerability"},"content":{"rendered":"

Vulnerabilities are being discovered every single day. While most of the vulnerabilities are not so serious, there are some that deserve our full attention. Such is the case with the Log4j vulnerability. On December 9th<\/sup>, 2021, the Log4j vulnerability was publicly disclosed following a month of remediation work by the affected vendor. This new vulnerability is in the Apache Log4j library, hence the name. The official name of the vulnerability is CVE-2021-44228<\/a> and has received a CVSSv3 score of 10\/10<\/a> because of its ease of exploitation.<\/p>\n

What is the Log4j vulnerability? Who does it affect and why is it being called the most significant vulnerability in the last decade<\/a>?<\/p>\n

What is the Log4j vulnerability?<\/h2>\n

Log4j is an add-on Apache library. Log4j is very popular among application developers because it is considered one of the easiest and most robust libraries for performing logging – which end-user did what, when, how, where from, etc.<\/p>\n

The vulnerability\u2014affecting versions 2.0-beta9 to 2.14.1 of the library\u2014exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the vulnerability description<\/a>, affected versions of Log4j contain JNDI features\u2014such as message lookup substitution\u2014that “do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints.”<\/p>\n

The cloud security team at Alibaba discovered the vulnerability in November 2021 and told Apache. They worked together to ensure a fix was available before the public release of the vulnerability details.<\/p>\n

FC explains in a blog for Cygenta<\/a>: \u201cWhat the Alibaba team discovered is a flaw in the way that Log4j works. The purpose of a logger is to record things; generally, the logger just takes what happens and writes it down. However, what Log4j does is that it uses variables to fill in some data, say the time or date which can be injected into the log command. This use of a variable is something all programming uses, but it must be done carefully especially if it takes in data from an end-user (a possible attacker!).\u201d<\/p>\n

CISA noted in their advisory bulletin<\/a> that \u201cAn adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.\u201d<\/p>\n

FC provides a more technical view<\/a> of the potential attack exploiting the vulnerability:<\/p>\n