Contents
Introduction
A critical security vulnerability found in software widely used in most Internet servers has raised alarms among cybersecurity experts and major corporations to address a critical flaw that hackers were actively using to try to breach networks. On the 9th of December 2021, many media outlets that a remote code execution (RCE) vulnerability was found in a Java-based open-source logging library known as ‘Log4j’, developed by the Apache Foundation. However, there were several reports from November 2021 indicating that hackers may begin exploitation of the flaw. But the issue has only come to light around mid-December.
This vulnerability in Java-based software called Log4j is used by many large organizations such as Apple’s cloud computing service, security firm Cloud flare and one of the world’s most popular video games, Minecraft, IBM, Oracle, Cisco, Google, Amazon and more to configure their applications. Hackers can exploit the vulnerability to gain access to an organization’s computer server relatively easily. After that, attackers could devise other ways to break into an organization’s network. The situation escalated when a tool for exploiting the Log4j vulnerability was released publicly on GitHub, a software repository. That provided malicious hackers with a potential roadmap for exploiting the vulnerability to compromise devices.
So, what is Log4j vulnerability? What does Log4j do? How does Log4j vulnerability work? Why is Log4Shell so dangerous? What can you do to protect yourself from the Log4j Log4shell issue? In this blog, we will present information about Log4j vulnerability and the things you need to know.
What is Log4j vulnerability ?
The Apache Log4j is a Java-based logging utility, that is part of the Apache Logging Services and Log4j is one of the most popular logging libraries on the internet. Logging is a process that preserves and keeps track of the activity history of a web application so that it can be reviewed in the event of an error, and is applied to almost all systems. With Log4j, software developers can keep track and record all the software activity for various purposes, such as troubleshooting, log rolling patterns, auditing, tracking and more. The fact that Log4j is both open-source and free, it’s widespread across most web services and the library essentially touches every aspect of the Internet.
What does Log4j do?
The Apache Log4j is a Java-based logging utility, that is part of the Apache Logging Services and Log4j is one of the most popular logging libraries on the internet. Logging is a process that preserves and keeps track of the activity history of a web application so that it can be reviewed in the event of an error, and is applied to almost all systems. With Log4j, software developers can keep track and record all the software activity for various purposes, such as troubleshooting, log rolling patterns, auditing, tracking and more. The fact that Log4j is both open-source and free, it’s widespread across most web services and the library essentially touches every aspect of the Internet.
Why is Log4Shell so dangerous?
The vulnerability has received the maximum CVSS score possible of 10, partly because of the surface area of attack exposed, and partly because of the ease of exploitation. Log4J is used extensively across a variety of platforms, operating systems, and software programs, and it can work in the background without causing problems. Here are some of the factors that make the Log4j vulnerability extremely dangerous
- The vulnerability is trivial to exploit, with dozens of weaponized exploits available on GitHub and elsewhere.
- Log4j is one of the most prominent and prevalent Java logging frameworks. Almost 7,000 Maven artifacts rely on log4j-core (the vulnerable artifact), and countless Java projects use it.
- An attacker can exploit this vulnerability by bombarding random HTTP servers with requests or alternatively, an attacker can brute-force a specific web app by filling all available HTML input fields with a payload string by utilizing automated tools such as XSStrike.
- Even though the vulnerability is context-dependent since arbitrary user input must reach one of Log4j’s logging functions, this is an extremely common scenario. Most logging scenarios usually contain user input as part of the log message. Since such input is considered very safe, it is rarely sanitized.
Are hackers already taking advantage of it?
There have been reports of cyber attackers continually trying to exploit the Log4j vulnerability since the vulnerability was published. Attempts are already being made to scan the internet for vulnerable instances of Log4j. Nicky Ringland and James Wetter of Google’s Open Source Insights Team reported in the blog that more than 35,000 Java packages, or over 8% of the Maven Central repository (the most significant Java package repository), are affected by the log4j vulnerabilities.
Check Point, a cyber-security software company, reported in a blog post that hackers sent out 60 variations of the original exploit in 24 hours. The exploit has already been used to breach nearly half of all corporate networks around the world, according to Check Point.
Furthermore, Cybersecurity company Akamai Technologies Inc. reported in the blog Threat Intelligence on Log4j CVE that across the Akamai network, it has witnessed traffic from 1.3 billion unique devices daily, with a record traffic of 182 Tbps. Akamai reports that hackers are targeting retail more than any other sector and a number of attacks have also targeted the technology, financial services, and manufacturing industries. Microsoft confirms it has observed several threat actors exploiting the CVE-2021-44228 vulnerability. Cybersecurity firm Sophos reported that this vulnerability was also being exploited for crypto mining purposes.
What can you do to protect yourself from the Log4j Log4shell issue?
This issue can be resolved by upgrading your log4j dependencies to version 2.16.0, which disables JNDI by default and removes support for message lookups. The pressure is largely on the companies to act. For now, users should update their devices, software, and apps whenever companies alert them in the coming days and weeks.
How are tech companies trying to address the Log4j issue??
Minecraft published a blog post explaining that a vulnerability in one version of its game had been found and quickly issued a fix. Several companies, including Oracle, IBM, AWS and Cloud flare, have issued advisories to their customers, with some pushing security updates or laying out implications for upcoming patches. Vendors with vulnerable versions of Log4j code have taken significant steps and are working hard to developing workarounds, patches and updated versions of their products to eliminate this risk. Furthermore, due to the sophistication and size of the exploit for Log4j’s vulnerability, security teams are finding themselves in an awkward situation. Cybersecurity experts warn that more businesses than expected may have fallen victim to this attack, ranging from small and medium businesses to large tech firms.
Vendors with vulnerable versions of Log4j have taken significant steps to eliminate this risk by developing workarounds, patches and updating their products.
Conclusion
In a statement released by CISA Director Easterly on “Log4j” Vulnerability, Cybersecurity and Infrastructure Security Agency (CISA) recommended that asset owners perform three additional steps to protect their data, which include: enumerating any externally facing devices with Log4j installed, , making sure that the security operations center is handling all alerts for the devices in devices that fall into the category above, and installing a web application firewall (WAF) with rules that automatically update so the SOC can handle fewer alerts. Easterly stressed “the importance of building software for security from the start and more widespread use of Software Bill of Materials (SBOM)” as a means to provide transparency on vulnerable software libraries.
Defend your enterprise network against sophisticated cyber-attacks with Sparity’s most advanced security, real-time prevention, and the world’s most advanced security gateways. Sparity’s technical support teams are available for you 24/7 and we are all at your service to make sure you’ll stay protected.