A Quick walk-through on Log4j Vulnerability & How to Prevent from it?
Introduction –
Logging has become a non-evitable part of every web application and server-based program. These are special file types that keep logs (i.e., records) of events or actions happening within the application. Log4J is also a Java-based logging library or utility that can work as an API. It gets distributed under the Apache Software License. On December 9th, 2021, some reports surfaced about the zero-day vulnerability that popped up from nowhere. They call it the Log4j (Log4Shell) vulnerability. It impacted Minecraft servers. A week later, researchers found that millions, if not countless, of devices, are at risk due to this vulnerability. This article will address what Log4j is, why Log4j vulnerability ranks among the worst? Also, we will gather insight on how to prevent this vulnerability?
What is Log4?
Log4j is a java-script-based utility used for logging actions on the applications. Ceki Gülcü is the creator of Log4j. As a part of Apache Logging Services, it acts as a framework for various logging operations. The log4j project is under Apache Software Foundation. The Log4j framework records events, errors, and routine app operations. It also transmits diagnostic messages related to system administrators and users. Apache Log4j version 2 is an advancement to Log4j, providing considerable advances over its precursor version, Log4j 1. The new version fixes some inherent issues in Log-back’s architecture but is susceptible to RCE. Let us now discuss what Log4j vulnerability is.
What is Log4j Vulnerability?
The Log4j exploit has become a widespread threat that allows attackers to compromise web-facing servers by injecting them with a malicious string of text. Cybercriminals are leveraging a zero-day vulnerability in this open-source logging library, and researchers reveal that in December 2021. The director of the U.S. Cybersecurity and Infrastructure Security Agency, Jen Easterly, addresses this vulnerability as the most serious one of her career. According to Jen, persuaders have made hundreds of thousands or might be even a million attempts through this vulnerability.
How does this vulnerability work?
The zero-day exploit is vulnerable where the Log4j processes log messages. By sending explicitly crafted messages to the server employing Log4j, an attacker can drive the system to load exterior malicious code. Such a type of attack is also called remote command execution. The exploit (CVE-2021–44228) leverages a Java API called the Java Naming and Directory Interface (JNDI) that allows clients to uncover and lookup data and objects through the name. The attackers can even store these objects in different locations or directory services using any of these methods: Lightweight Directory Access Protocol (LDAP), Remote Method Invocation (RMI), or through Domain Name Service (DNS).
Through this vulnerability, attackers can regulate log messages or log notification parameters on different versions of Log4j. This manipulation of log messages helps attackers run arbitrary code & takes complete control over any affected server that is using the Log4j framework. Attackers are also leveraging this vulnerability to deploy crypto miners and potentially other malware.
Where did Log4j get detected for the first time?
According to CBS News, a group of people from the Apache Software Foundation group got the alert on November 24 about the vulnerability. A cloud security team member of Alibaba discovered it for the first time. It came to the limelight when on the first week of December, cybersecurity professionals shared in a blog about the Minecraft leveraging this vulnerability. That blog alerts the gamers about the cybercrime detected through that flaw and infiltrating their computers.
How to prevent this Log4j attack?
The first step to enforce is whether an attack happened or not. Organizations should do this by searching the application’s logs to check if any RCE payload resides or not. If keywords like “ldap”, “jndi”, “$ {::” come during the search, organizations should further investigate as to whether it’s a fingerprinting by security professionals or an actual attack. Here is a checklist of some standard prevention techniques organizations can use against Log4j vulnerability.
· Enterprises should upgrade their existing Log4j version to Log4j version 2.16.0. It got officially released on December 13 by Apache.
· According to Apache, if any project is still leveraging the old version of Java, i.e., Java 7, they should immediately upgrade to Log4j 2.12.2.
· If any vendor developed your application, it is always a good idea to consult that software vendor to verify whether they got impacted by log4j. If so, ask them if they have come up with a patch for the products.
· Also, make sure that all the project or product dependencies, APIs, and libraries are fully patched.
· Some well-known Web Application Firewall (WAF) vendors announce that their WAF can protect against Log4j vulnerability. So, another best practice is to integrate these WAFs into your web applications and products.
Conclusion –
Log4j is a critical vulnerability, and organizations should not ignore its impact on the overall security and data breaching abilities. Cybercriminals are still leveraging its benefits and exploiting applications that are still using the unpatched version of Log4j. However, if you believe the fact that past behavior indicates future performance, then probably Log4j vulnerability will crop up in the coming years.
