The Biggest Software Vulnerability Of All Time
Hope you all are fine. Through this article, I am going to discuss about Log4Shell ,the ‘most serious’ security breach ever.
What is Log4j ?
Log4j is a programming code written in Java computer language by Ceki Gülcü. It was created by Apache Software Foundation volunteers to run on different platforms. It is a component of the Apache Logging Services project, which is run by the Apache Software Foundation.
Log4j is one of numerous logging frameworks for Java. This help software applications keep track of their past activities Log4j can run on different platforms including Windows,macOS and Linux.
This package was initially released on January 8, 2001 as ‘Log4j 1’.
After several updates, Log4j 2 was released as GA version in July 2014. This is an update to Log4j 1, that delivers considerable enhancements over its predecessor, Log4j 1.x, and includes many of the improvements seen in Logback while addressing certain fundamental flaws in Logback’s architecture.
On August 5, 2015, the Apache Logging Services Project Management Committee announced that ‘Log4j 1’ had reached end of life and that users of ‘Log4j 1’ were advised to upgrade to Apache ‘Log4j 2’.
Who uses Log4j ?
Log4j is extremely popular among software developers as this is a useful and popular software development logging library and it’s a reliable, fast, and flexible logging framework for programming application interfaces (APIs).
Cloud storage companies such as Google, Microsoft, and Amazon which provide the digital backbone for millions of other apps use this tool. So are giant software sellers whose programs are used by millions, such as IBM, Oracle, and Salesforce.
It also includes extra logging features such as log levels (fatal, error, warning, etc.), log rolling patterns and mechanisms for writing to separate log files, among others. This is why log4j is a popular open-source logging package for Java applications.
What is the problem with the log4j ?
On November 24, a group of volunteers under the Apache Software Foundation were alerted of a zero-day vulnerability involving remote code execution in Log4j 2, by Chen Zhaojun of Alibaba Cloud Security Team. This vulnerability was named as Log4Shell (CVE-2021–44228). Log4Shell received a CVSS severity rating of 10, the highest available.
Apache Log4j Security Vulnerabilities
Ø Fixed in Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) and 2.3.1 (Java 6)
CVE-2021–45105 : Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Ø Fixed in Log4j 2.16.0 (Java 8) and Log4j 2.12.2 (Java 7)
CVE-2021–45046 : Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations
Ø Fixed in Log4j 2.15.0 (Java 8)
CVE-2021–44228 : Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
Ø Fixed in Log4j 2.13.2 (Java 8) and 2.12.3 (Java 7)
CVE-2020–9488 : Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.
Ø Fixed in Log4j 2.8.2 (Java 7)
CVE-2017–5645 : Apache Log4j socket receiver deserialization vulnerability.
[ Ref (Apache Log4j Security Vulnerabilities) : Log4j — Apache Log4j Security Vulnerabilities ]
Impact of Log4Shell vulnerability
This vulnerability allow attackers to execute arbitrary Java code on a server / other computer, or leak sensitive information by exploiting the vulnerable JNDI lookups functionality offered by the logging library log4j and it can conduct remote code execution. This exploitable feature was enabled by default in various library versions. More than 35,000 Java packages have been impacted by this vulnerability.
Some hackers use the vulnerability to take advantage of the capabilities of the victims’ devices; examples include cryptocurrency mining, botnet creation, spam distribution, the establishment of backdoors, and attempting to deploy various ransomware variants such as,
Quantam, Kimsuki, Cerber, Muhstik, etc.
As well as, hackers linked to foreign countries have already attempted to exploit the vulnerability in order to obtain access to their targets’ computer systems.
Are there any solutions for this?
The Apache Software Foundation has posted fixes for this vulnerability on 6 December 2021. Although alternative attack vectors remain in specific applications, newer versions of the Java Runtime Environment (JRE) address this issue by blocking remote code from being loaded by default.
Hackers have to deliver malicious code to a service running log4j to exploit this vulnerability. So they are trying to send phishing emails and try to trick you into clicking a link or opening an attachment. Therefore, it is wise to take care of it.
So, through this article, I tried to update your knowledge about a terrible vulnerability.
Apart from that I’ll mention a link about “How to configure log4j as logging mechanism in Java”
I think you may have gained some knowledge from this.
Thanks for reading…
Written by Supun Abeysinghe — 3rd Year 1st Semester -Cyber Security Student-SLIIT