Security breach

What is the Log4Shell vulnerability?

The critical flaw affecting products built using Java is set to cause headaches in the enterprise for months to come
Pro
Image: Shutterstock

13 December 2021

With the potential to be massively devastating, the vulnerability in the ubiquitous Java logger log4j 2, known as Log4Shell, is set to rival the most high-profile ransomware attacks when it comes to the title of ‘worst cyber security incident of the year’ if certain corners of the infosec community are to be believed.

The Log4Shell zero-day vulnerability in the Java logger is rated 10/10 critical and is tracked as CVE-2021-44228. The full extent to which log4j 2 can be exploited is currently unclear, but since its public disclosure on 9 December 2021, there is already evidence of in-the-wild exploitation and many enterprise applications are believed to be affected by the remote code execution (RCE) flaw.

Affecting products and services aimed at both consumers and businesses, the critical-rated vulnerability was first discovered in the Java version of Minecraft, and it didn’t take long for the cyber security industry to realise that the specially crafted in-game chat messages that were affecting game servers could function as executable code in a wider range of online services.

 

advertisement



 

Log4j 2 is an incredibly popular online Java library, used by almost all of the online services and products everyday people will be familiar with. Its role is to log information that helps applications run smoothly, determine what’s happening, and help with the debugging process when errors occur.

Patching the vulnerability is considered non-negotiable. The latest version of log4j 2 (log4j 2 2.15.0) mitigates the zero-day flaw and upgrading could prevent cyber attacks from hitting businesses and the wider Internet.

Who is affected by Log4Shell?

Most apps written in Java are thought to be affected and vulnerable, particularly Apache frameworks including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. In addition, ElasticSearch, Flume, Logstash, Kafka, Netty, MyBatis, and Spring-Boot-starter-log4j are also vulnerable.

Some of the most popular products and services on the Internet – including Apple iCloud, Amazon, Steam and Twitter – rely on these frameworks to function. This is also thought to include a significant number of enterprise and cyber security applications too.

Not all products that use log4j 2 are vulnerable; cyber security firm Radware said only software enabling and utilising log4j message lookup substitution is affected. From version 2.15.0, message lookup substitution is disabled by default which is why patching is necessary. Log4j 2 versions 2.0-beta9 to 2.14.1 are all vulnerable and exploitable.

How can Log4Shell be exploited and what can happen?

Cyber security vendors are widely reporting that the RCE vulnerability in log4j 2 is already being actively exploited in the wild, with exploitation being easy to achieve at that.

In addition to logging basic data within an application, the log4j 2 vulnerability leverages Java Naming and Directory Interface (JNDI) injection. In certain cases, logged data originates from user input – which can also be supplied by an attacker – and if this input contains special characters, and is logged using log4j 2, the Java method ‘lookup’ will be called to execute the user-defined remote Java class in the LDAP server. This will lead to the RCE on the victim server that uses the vulnerable log4j 2 instance, according to Unit 42 at Palo Alto Networks.

This can be achieved because JNDI does not enforce security controls on LDAP requests, meaning the application can contact a server hosting a malicious payload, download and execute it, all without any authentication.

At the moment, there are no known major exploitations of the vulnerability leading to devastating consequences. However, Microsoft reported the majority of attacks have been related to mass scanning – attackers trying to identify vulnerable systems, security companies, and researchers. It also said Cobalt Strike beacons have been dropped.

Radware reported Mirai-based DDoS botnets being actively deployed, adding that crypto-locking and crypto-mining malware can easily be delivered. Wider reports have already noted evidence of crypto-mining malware being circulated via the vulnerability.

How to mitigate Log4Shell

Businesses are advised to assess to what extent their environments are exposed to Log4Shell and patch log4j 2 instances accordingly. Log4j2 version 2.0-beta9 to 2.14.1 are affected with the general recommendation being, as with any vulnerability, to patch affected instances up to the latest available version which is log4j 2 2.15.0.

According to a UK National Cyber Security Centre’s (NCSC) advisory, the flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.

The national cyber security body also noted that identifying which applications are vulnerable may not be an easy task, which is why early and transparent communication with customers, as with any incident, is important to enable them to apply any available updates too.

Keeping tabs on Log4Shell development

Given how wide-ranging this vulnerability is, the cyber security industry has banded together to help keep track of evolving exploits and fixes. There is currently a GitHub repository listing Log4Shell indicators of compromise (IOCs) with links to individuals and groups actively tracking Log4Shell’s exploitation, in addition to a range of threat reports from individual researchers and cyber security vendors.

There is also a Reddit ‘mega thread’ users can follow which is regularly updated by the community with links to third-party advice, evidence of exploitation, analyses, honeypots, and more.

© Dennis Publishing


Professional Development for IT professionals

The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more


Read More:


Comments are closed.

Back to Top ↑