The log4j vulnerability (CVE-2021-44228) - dubbed log4shell - has been described as a critical risk to the entire internet. The flaw has exposed some of the most substantial applications to attack across the internet landscape, with companies racing to patch and mitigate threats as cyber criminals actively exploit.
Today we will uncover what log4j is, why it poses such a critical threat, and how to take action and mitigate the risk.
With an impending need for action, the team at TryHackMe have developed a free interactive training lab demonstrating the log4j vulnerability and mitigation methods.
What is log4j?
Log4j is a java-based logging framework, part of the Apache Logging Services. Essentially, it is a data logging package for the Java platform - recording the activity and data of applications. Many companies across the world use log4j and are therefore exposed to the risk - household names such as Google, LinkedIn, and Microsoft.
Log4j was initially released in 2001, with a stable release of log4j2 in December 2021 - the latter has been adopted on frameworks such as Windows, Linux, macOS and FreeBSD. The uncovered vulnerability affects log4j that are below (and not inclusive of) version 2.15.0
What risk does log4j pose?
Hackers worldwide have been exploiting log4j since the beginning of the month, but with Apache’s disclosure of the threat on the 9th of December, attacks have substantially increased. The vulnerability is deemed the highest severity, as successful breaches allow hackers to control java-based web servers and launch remote code execution (RCE) attacks. RCE concerns the execution of arbitrary code on computer systems - where the hacker doesn’t possess direct access to the device yet has full control of systems.
So far, exploitation has led cyber criminals to install crypto miners - mining cryptocurrency - steal system credentials and data, and tunnel deeper into compromised networks, according to Microsoft. Hackers have already launched more than 1.2 million attacks, and the flaw is being weaponised and included in automatic ransomware attacks.
Sean Gallagher, Sophos senior threat researcher has referred to crypto mining as the lull before the storm, stating, “We expect adversaries are likely grabbing as much access to whatever they can get right now, to monetise and capitalise on it later on. The most immediate priority for defenders is to reduce exposure by patching and mitigating all corners of their infrastructure and investigate exposed and potentially compromised systems."
As the vulnerability allows hackers to load arbitrary code on servers, install malware and act as a foothold to launch further attacks, the impact level is broad and dangerous.
Significant companies such as Apple, IBM, Tesla, Minecraft, and Microsoft have discovered the vulnerability across their services. With imminent attacks in recurrence whilst companies race to find patches and issue fixes, impact extent is still coming to light.
How to mitigate the log4j vulnerability:
Today, log4j version 2.15.0rc2 is available and patches this vulnerability. However, the sheer danger of this vulnerability is due to how ubiquitous the logging package is. Millions of applications as well as software providers use this package as a dependency in their own code.
A temporary mitigation solution, where upgrading to Log4j 2.15.0 is not possible, is as follows (and is official advice from Apache):
- Versions >= 2.10: set system property log4j2.formatMsgNoLookups (or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS) to true.
- Versions < 2.10 is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
While you may be able to patch internal codebase using log4j, other vendors and manufacturers will still need to push their own security updates downstream. Many security researchers have likened this vulnerability to that of Shellshock by the nature of its enormous attack surface. We will see this vulnerability for years to come.
If you're responsible for identifying vulnerable services that use log4j, there is a list of a few majorly affected services/products here.
To find out more about how you can exploit, detect and mitigate log4j, TryHackMe have released a free interactive training lab.