Log4Shell: The Log4J security vulnerability
On Friday 10th December 2021 (UK time), the news broke that there was a new serious security vulnerability which was affecting potentially millions if not billions of devices. This security vulnerability was released to the public and is based around the Java library Log4J. The security vulnerability, like all new vulnerabilities these days has a catchy name of Log4Shell. The associated CVE number has also been assigned – CVE-2021-4428.
So, what makes this latest security vulnerability so dangerous to businesses and making IT and security teams around the world panic and check all their systems? To understand this, we need to know a bit more about the Java library that’s affected.
What is Log4J?
This allows applications and developers to record actions of what has been provided for helping to troubleshoot any actions.
The Log4Shell vulnerability
Now that we know what the Log4J library is and what it is used for, how is it used as a security vulnerability? And what does the vulnerability do?
The flaw within the Log4J library was found by the security team at Alibaba, the security team found that depending upon what is passed to the application and logged via Log4J, you can trick the logging to record events and possibly force requests to external systems, which should not be allowed.
This can happen as Log4J can utilise variables for processing data. Variables are bits of code which can store temporary values for processing later, for example storing the date/time of an action and then recorded shortly after, so that the details are correct.
The problem here is, that way back in 2013, there was a feature added to the library which allowed additional functionality for use with LDAP. LDAP is basically a way for someone to obtain information about a system or query if the information is provided correctly.
The Log4Shell vulnerability takes advantage of this LDAP feature and if someone logs some requests to the application in a specially crafted manor, the Log4J library will log the information as its meant to but will then also fire off a LDAP call/query to an external system, allowing a malicious attacker to potentially gain access remotely.
Why is it so serious?
It’s so serious as it’s the main logging tool for any Java related application, the more people who use the library, which is vulnerable, the more chances of compromise. However, the problem lies in that it may not be solely your web application or application that is affected, it may be used in a subcomponent, or some other feature that you are not in control of. So this ends up with you needing to ensure that your entire environment is completely patched and up to date, which means ensuring that your providers are up to date and that you have a good audit log.
Not only this, but automated bots are now going around the internet looking for vulnerable systems, which will information malicious actors and allow them to possibly get inside your systems.
What should I do?
There are a few things you can do, to ensure you are protected. Firstly, you should ensure that you keep an eye out on your suppliers security/support pages, and check for updates over the coming weeks.
You should also look at doing the following, if you use Java within your environment.
- Ensure that you patch/update Log4J in all your code, if you use it, to the latest version.
- Block the statements “$(jndi:ldap://” in your Web Application Firewall
- Disable Log4J (or replace with something else)
- Disable JNDI lookups by setting the system property ‘log4j2.formatMsgNoLookups’ to True
- Disable remote codebases
More information will come as time goes on and people understand the issue more.