What You Need To Know About The Apache Log4j Vulnerability

21 January 2022


The Apache Log4j vulnerability (Log4Shell) is a recent software flaw that has left numerous companies and government agencies – from the developer of popular videogame Minecraft to the Cyber Security Agency of Singapore (CSA) - scrambling to patch their systems and defend against it.

Various cybersecurity experts believe this bug could enable potentially devastating cyberattacks on networks across the globe. As Log4j is open-source software that can run on macOS, Windows, and Linux platforms, it is a modern Java library for logging error messages in various applications and is a crucial building block of almost all present-day digital infrastructure. Hence, Log4Shell has put many essential companies like Apple, Amazon, IBM, and Palo Alto Networks at risk.

In light of the far-reaching and potentially devastating implications Log4Shell has on every business that utilizes the free Java library Log4j, let us share a rundown of what you need to know about this zero-day vulnerability and what you can do about it.

What is the Log4j vulnerability, a.k.a Log4Shell?

Log4Shell, formally tracked as CVE-2021-44228, is a software bug found in the popular open-source Java library Apache Log4j.. This library is primarily used for logging error messages. It records user activity and applications' behavior and collects information across networks and websites. It is one of the most used libraries of all time within the Java community.

Log4Shell results from improper input validation when the software fails to verify data from suspicious external sources, making it vulnerable to malicious cyber entities. Hackers can, therefore, seize arbitrary control over systems through the bug and execute a range of unauthorized and harmful actions, as explained further below.

How can the Log4j vulnerability be exploited?

Attackers can exploit Log4Shell via text messages to take over target computers remotely. They can capitalize on Log4j’s ability to log messages from the applications on which it is installed and search for errors afterward. The range of the data that threat actors may potentially retrieve using this method is broad, from browser and web page information to technical and sensitive details about the system running Log4j. However, this is not the only reason Log4Shell poses a significant threat to worldwide devices and applications.

This vulnerability’s highest-level severity score is due to the Log4j Java library’s ability to create simple logs and execute commands that generate advanced logging information. It can also communicate with other sources within a system, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), and Java’s Remote Interface (RMI). This means attackers can directly and remotely feed Log4j with malicious commands through its message lookup functionality, making it download and run code from hostile sources.

Through this flaw, attackers have exploited countless vulnerable systems that use the Log4j library in many ways. In Minecraft, threat actors could kick players out of the servers and freeze their machines. However, the most malicious activities involved mass scanning on fingerprint-vulnerable systems, denial-of-service (DoS) attacks, stealing system credentials, deploying ransomware, and hacking attempts to increase botnet numbers and mine cryptocurrency.

How can businesses resolve the Log4j vulnerability?

As it potentially affects millions of applications and devices worldwide, Log4Shell is a cybersecurity threat that all organizations must make a top priority to address. Cyber incident response teams should promptly identify the devices and applications in production that use the Log4j library and immediately upgrade them with the 2.17 patch for Java 8 and up to address the vulnerability fully. For in-house software, it is recommended that you use a software composition analysis (SCA) tool to detect Log4Shell in applications. Other steps include limiting unnecessary outbound traffic to reduce risk and protect vulnerable systems before they are patched, as well as contacting third-party software providers to stay abreast with their progress in resolving this issue.

Suppose patching is not an available option yet, mainly because the library is part of a much bigger Java application or suite of applications. The business has to wait for vendor patches. In that case, there are a few ways to mitigate the Log4j vulnerability between versions 2.10 and 2.14.1. The first step involves setting command-line arguments when running Java applications that disable the library’s message lookups. The second step is to remove the vulnerable classes in the Log4j libraries if they are unused in their applications. Due to the technical nature of these methods, it is best to consult your cyber security team about them and rely on their expertise.

Conclusion

While the various vulnerabilities caused by Log4Shell have been patched, cybersecurity experts have warned businesses and individuals to remain vigilant as more advanced cyber-attacks aimed at exploiting this vulnerability continue to rise in volume.

As such, you must have an excellent cyber incident response team that is well-equipped to handle any emerging cyber threat. Additionally, it makes a big difference when you regularly check your security posture to ensure every known vulnerability in your cybersecurity infrastructure is resolved. After all, prevention is better than cure; rather than reacting to cyber-attacks as they come, preparing for them in advance reassures you to focus more on your business operations and growth.

If you require the assistance of an expert in screening your systems, do not hesitate to reach out to us at hello@group8.co today! At GROUP8, we provide CREST-certified penetration testing services in Singapore, so you can rest assured that your IT infrastructure is assessed and well-defended according to international standards