What is Log4j vulnerability and how it works?
On 9th December 2021, the internet had a complete shutdown, and this incident was named the Zero-day vulnerability. It was only a matter of days after the industry experts discovered a critical vulnerability, called Log4 Shell in servers supporting the game Minecraft, and hackers made multi-million exploit attempts of the Log4j 2 Java library. And businesses operating in Java felt exposed and insecure about the situation.
Does that mean Java is not so secure? Is there a possible solution? Read on to understand what the Zero-Day Vulnerability exposed to the world.
What’s more concerning about this incident is that it creates a huge security risk for businesses that have been operating in Java, hence it has been given the ‘zero-day’ status.
A Zero-day exploit means that hackers are actively targeting the vulnerability, while a fix has not reached all the at-risk systems yet. The vulnerability is a potential threat to millions more applications and devices across the globe.
What is Log4j?
Log4j, a benchmark logging framework, which is used to log security and performance information, impacts upwards of 3 billion devices that use Java across a variety of consumer and enterprise services, websites and applications, worldwide.
As Log5j is widely used on the internet, organizations across the industry have integrated Apache Log4j 2 into myriad applications. This includes major cloud services such as Apple, Google, Microsoft and Cloudflare, as well as platforms like Twitter and Stream.
What does Log4 do and it’s importance while using Java?
It logs messages from software and searches for errors afterwards. The data range is broad, from basic browser and web page information to technical details about the system Log4j runs on.
Not only can the Log4j library create simple logs, but it can also execute commands to generate advanced logging information. In doing so, it can also communicate with other sources, such as internal directory services.
How did it cause vulnerability among users and their devices?
Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228 (also known as Log4shell), enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j 2.
In the world of cybersecurity, the Zero-day incident brought about the testing waters in the world of Java. Log4Shell is considered a zero-day vulnerability because the hackers knew about the sensitivity of this library and exploited it.
What is Zero-Day Vulnerability and how did it happen?
This risk is predominantly generated from a vulnerability in Log4j, a widely used Java-based logging library developed by the Apache Software Foundation. Since many services like Apple iCloud, popular gaming service Steam and online game Minecraft use Log4j, the vulnerability is considered to be the most dangerous exploit of the cyber security world to date.
To make things worse, a proof-of-concept exploit was also shared online since the vulnerability has been made public. This concept revealed that anyone employing (or using) Log4j is potentially a target for attacks that can trigger Remote Code Execution (RCE).
Log4Shell is dangerous in nature due to its complex operational requirements – and also because it is required to run major platforms from Amazon Web Services to VMware, and services large and small.
It carries a lot of dependencies due to the many operations running on it, and this is why patching is a complex procedure as well as time-consuming. Thus, it makes it an easy target to exploit and the damage is greater.
How can the Log4 Shell directly hack my personal device?
The Log4j 2 library controls how applications log strings of code and information. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control.
Attackers can remotely take over any internet-connected service that uses certain versions of the Log4j library anywhere in the software stack.
This has been the most serious cyber risk since the 2017 WannaCry global ransomware attack and the cybersecurity world has been on edge since the Apache Log4j vulnerability was first publicly disclosed on December 9, 2021.
Assessment and Mitigation of Log4Shell
With the potential to impact everything from applications and embedded systems to enterprise applications and their subcomponents; This widespread exploitation of the Log4j vulnerability across several industries has a lot of people looking for affirmative security solutions.
The best way to evaluate steps for threat assessment is to understand the threat and the vulnerable spaces in Java. This way we can ensure security protocols are in place for safe Java use.
Here’s everything we know about the Log4 threat!
The security risk with Log4j has been termed as CVE-2021-44228 or Log4Shell or LogJam. It has been ranked among the most severe security risks on the internet as of now, as it affects all versions of Log4j. This includes Log4j version 2.0-beta-9 to version 2.14.1. This leaves a vast number of services and systems exposed to cyber vulnerabilities since they all rely on Log4j.
As mentioned by Sean Gallagher, Senior threat researcher at Sophos, “Log4Shell is a library that is present in the darkest corners of an organization’s infrastructure. Finding a solution to vulnerable Log4Shell is crucial for IT security.”
The Java-based open-source logging library is the most used in the world and also the easiest to exploit, this is why Log4 is so dangerous.
Java is very common in the context of devices because of its cross-platform nature and device abstraction capabilities. Even hackers with not much experience can easily launch an attack by exposing this vulnerability and after that, they can upload their code into the application (due to the message lookup substitution function).
Are we safe against Log4 now? If so, how can we ensure we are safe against any and all threats?
Since the threat of Log4 was exposed, newer versions of Log4 have been released that make it a lot more secure, but this still means that businesses need to understand that certain security protocols need to be put into place to ensure there are no vulnerabilities exposed.
What next?
The Log4j vulnerability incident has shown to the world how important it is to implement proper supply chain security and the potentially devastating effects insecure open-source code could have.
Get in touch with us at info@lyrainfo.com to get a consultation. We will help you understand all the ways you can ensure safety protocols and have a safe Java experience.
References:
2. Microsoft – Vulnerability Guide
3. India Today – Feature Story
4. https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/
5. https://www.medtechdive.com/news/fda-warns-log4j-cybersecurity-risks-medical-devices/611773/
6. https://www.dynatrace.com/news/blog/what-is-log4shell/
7. https://www.cisecurity.org/log4j-zero-day-vulnerability-response/