Explaining the Log4j Vulnerability

Just days after industry experts discovered a critical flaw in Log4Shell servers supporting Minecraft, criminals have made millions of attempts to breach the Log4j 2 Java library. This vulnerability is a potential threat to millions of additional applications and devices worldwide.

In this post, we’ll explain what the Log4Shell vulnerability is and the risks.

• What is Log4Shell? Log4Shell is a vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. Published as CVE-2021-44228, it enables a remote attacker to take control of a device on the internet if it is running some versions of Log4J 2. The Apache Software Foundation publishes the library and gave the vulnerability a CVSS score of 10 out of 10, the highest-level severity score. This is because of the ease with which malicious attackers can exploit it.
• When did experts discover the original vulnerability in the Log4j 2 library? Chen Zhaojun, a security researcher at Alibaba Cloud, reported the vulnerability to the Apache Foundation on November 24. They discovered an attack on December 9th on servers that host the game Minecraft. After further analysis, they realized that cybercriminals discovered it earlier and were exploiting it as early as December 1st.
• What is the risk from the Log4Shell vulnerability in the library? Log4Shell is considered a zero-day vulnerability because criminals exploited it before the experts identified it. What makes it so dangerous is how widespread the Log4j 2 library is. The ease of exploiting this vulnerability compounds its impact. It’s present in major platforms like Amazon Web Services and other services, large and small. The number of dependencies among platforms and services means that patching can be complex and time-consuming.
• What does Log4j 2 Do? It is the most widely used logging framework on the internet. Organizations have integrated Apache Log4j 2 into their applications; including major cloud providers like Apple, Google, Microsoft, and platforms like Twitter and Stream. It logs messages from software and searches for errors. The data range covers everything from basic browser and web page info to technical details about the system running the program. Log4j 2 can also execute commands to generate logging information by communicating with other sources, like internal directory services.
• How does this vulnerability cause damage? Because the library can communicate with other sources and internal directory services, attackers can feed Log4j 2 with malicious commands and make it download and execute dangerous code. How hackers can exploit the vulnerability depends on the affected system. Attacks have included: compromising virtualization infrastructure, installing and executing ransomware, stealing system credentials, and taking broad control of compromised networks.

Remedy

Contact your software vendors to understand if you have any exposure or vulnerability. If your organization uses Log4j 2 in your applications and infrastructure they should be updated. The same is true for third-party applications. The version 2.17.0 release fully secures the library against the Log4Shell vulnerability.

To learn more, give us a call and we’ll be happy to answer any questions to you may have!