First published on GitHub on December 9, 2021, Log4J or Log4shell, is a new major cybersecurity vulnerability (CVE-2021-44228) that can result in a complete remote system takeover. Global intelligence groups reported the first usage of the exploit on December 10, 2021, identifying massive scanning from multiple hosts for servers using vulnerable versions of Apache Log4j.
What is the Log4j vulnerability?
Log4j is a popular Java logging framework used by many open source and enterprise level applications. The Log4j library is vulnerable to a remote code execution vulnerability that is easily exploitable by unauthenticated users. The vulnerability can be exploited by anyone with the ability to interact with the vulnerable endpoint of the application. The vulnerability itself is triggered by a specially-crafted malicious request; the malicious request is logged by the application and interpreted by log4j to execute code on the vulnerable server.
"We are aggressively helping customers identify and remediate this very serious vulnerability. Additionally, we are adding new techniques and tools to help identify the log4j vulnerability both on internal and internet facing systems,” said J.R. Hernandez, Evolve Security’s Security Services Manager. “Unfortunately, it looks like this will be a threat for a long time given wide use and adoption of Log4j library.”
How to start protecting your organization
The pervasiveness of the log4j library makes protecting your organization a difficult task. Adding several defense layers will be the only way to secure your environment.
- Identify vulnerable software in your environment and patch the vulnerable software
- Patch third party software applications using the vulnerable library
- If possible, disable Log4J library, JNDI lookups, and the ability to load Remote Codebases in your application
- Limit access and restrict egress capabilities of vulnerable servers
- Update signatures in your SIEM and Web application firewall to help detect any log4j attacks against your application
More details on the nature of Log4j and response
log4j has received a rating of 10 on the CVSS scale and given the pervasive nature of the Java logging library and multiple points of entry, Log4j presents major challenges for every security team.
This vulnerability is now exposing some of the world's most popular applications and services to attack, and the outlook for it is not good. It is clear that log4j will continue to be a major security threat or years to come.
Currently, any device that's exposed to the internet is at risk if it's running Apache Log4j, versions 2.0 to 2.14.1. NCSC notes that Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.
Mirai, a botnet that targets internet-connected (IoT) devices, has adopted an exploit for the flaw. Cisco and VMware have released patches for their affected products respectively. AWS has detailed how the flaw impacts its services and said it is working on patching its services that use Log4j and has released mitigations for services like CloudFront.
Likewise, IBM said it is "actively responding" to the Log4j vulnerability across its infrastructure and its products. IBM has confirmed Websphere. Oracle has issued a patch for the flaw, as well.
Our security engineers are actively monitoring for new information about this vulnerability and have the expertise to help our clients remediate this problem. If you have questions about log4j or other cybersecurity vulnerabilities, get in touch and our experts can get to work improving your organization’s security posture right away.