The Log4j or Log4Shell vulnerability, a cybersecurity flaw on the Apache Log4j 2 Java library, allows an attacker to remotely inject arbitrary code into a target network and gain complete control over it. As Java is widely implemented in digital products – from Internet routers to Microsoft and Amazon servers – the Log4j vulnerability could potentially impact hundreds of millions of devices. In this blog post, we will explain what the Log4j vulnerability is, why it’s important, how it causes damage, and how your organization can protect against it.
What is the Log4j vulnerability?
Apache Log4j is a Java-based logging utility whose library is designed to do the following:
- Log information helping applications run smoothly.
- Determine what’s happening.
- Help with the debugging process when errors occur.
The Log4j vulnerability (CVE-2021-44228), also known as Log4Shell, is a Remote Code Execution (RCE) vulnerability on the Apache Log4j 2 Java library – one of the most critical exposure levels in cybersecurity (10 out of 10). This Log4j framework flaw allows attackers to remotely inject arbitrary code into a target network and gain complete control over it.
Many security experts consider the Log4j vulnerability as one of the worst publicly-known vulnerabilities in the history of digital technology. As Java is implemented across a wide range of digital products, namely cloud solutions, web servers, and applications, the Log4j vulnerability is making a great number of mainstream software vulnerable to exploitation by malicious attackers.
And because most organizations are unaware of the Log4j Java library vulnerability in the software they’re currently using, a Log4j vulnerability exploitation bonanza is still underway by attackers from the cybercriminal world. Security researchers estimate that approximately 10 million exploitation attempts of the Log4j vulnerability are executed every hour into the affected online software.
The retail industry would have the highest number of attacks, followed by the technology, financial services, and manufacturing industries. Healthcare organizations would also be on high alert because of how often they are targeted by attackers.
So, in recap, what has made the Log4j vulnerability so important and talked about is a combination of these two key aspects:
- The vulnerability is very trivial to exploit: Since its discovery on December 5, 2021, the Log4j vulnerability hasn’t required much skills to be exploited with the insertion of a string into a log event and the injection of a malicious payload.
- It can make any Java applications an easy target for attackers: As mentioned earlier, Java being intrinsically part of so many digital products and services (routers, Microsoft servers, etc.), even smartphones can be exposed as their backend systems communicate with the Log4j library via APIs.
What is the impact of the Log4j vulnerability?
The log4j security flaw allows attackers to execute malicious code remotely on a target computer, allowing them to easily steal data, install malware, or simply take over a system via the Internet. Within the first 72 hours it became public, the log4j vulnerability generated over 800,000 exploitation attempts by malicious attackers, according to Check Point. Some cybersecurity analysts have then predicted that the Log4j security vulnerability would impact the entire Internet and take years to be fixed.
How to protect against the Log4j vulnerability?
Update all instances of the Log4j library
Your first remediation response should be to update all of your Log4j instances to the latest Apache Log4j available version.
Disable the Java Naming and Directory Interface API (JNDI)
The JndiLookup class should be disabled by default in the latest updated released version; if not, make sure it is. Disabling the JndiLookup class makes the logger unable to take action upon the data found in the log. Any remaining vulnerable Log4j versions can be made secure by manually removing JNDI from the following classpath:
zip -q -d log4j-core- *.jar org /apache/logging /log4j /core/lookup /JndiLookup.class
Modify the Java system properties
If it’s not possible for you to update the Log4j library, you should apply immediately the following response for any versions between 2.10 and 2.14.1:
Set the following system property to true:
- log4j2.formatMsgNoLookups
Or set the following environment variable to true:
- LOG4J_FORMAT_MSG_NO_LOOKUPS
Perform a professional penetration test
A professional API security test is a powerful tool to improve your API security, namely for any undetected Log4j flaws. A professional API penetration test will help maximize your API security though an extensive attack surface that covers various types of API breach exploits:
- Parameter tampering
- Fuzz testing
- Endpoint authorization
- XSS attacks
- Command injection
- Endpoint authentication
- CSRF attacks
- Man-in-the-Middle attacks
At any rate, make sure that your penetration testing provider uses an approach based on manual techniques leveraging automated tools, allowing you to identify complex vulnerabilities that are present in modern APIs. Knowing the percentage of automated vs. manual testing is among the 20 questions to ask your penetration testing provider.
Update all of your firewalls and Intrusion Prevention Systems (IPSs)
Update all of your firewalls, Web Application Firewalls (WAFs), and Intrusion Prevention Systems (IPSs). Doing so will make sure that Log4j’s malicious traffic will be blocked before it reaches your systems.
Final words
The Log4j vulnerability is a serious threat to any organization using the Log4j Java logging framework, as it can lead to a complete takeover of its systems. To avoid this worst-case scenario, you need to keep in mind that even the most sophisticated vulnerability scanner might not be very thorough and deliver the expected results. In our other blog posts, Why Automated Penetration Testing For Applications is Insufficient and Penetration Testing vs. Vulnerability Scanning, we explain the various limitations of a vulnerability scanning tool. A testing approach mainly focused on manual tests typically delivers better results, as it covers more of the actual attack surface real-world attackers can readily exploit. To that end, make sure to include Log4j in your next professional API security test.
Contact us if you need help improving your enterprise security.
