Log4j: The “most serious” security breach of all time

Log4j is a piece of code that helps software applications keep track of their previous activities. Developers often use Log4j while building new software instead of reinventing logging or record-keeping components. The Log4j program is designed to help programmers output log statements to various output targets. It is used to enable logging for detection and troubleshooting of application issues. With Log4j, the ability to log at runtime is possible without changing the application’s binary. The flaws in this program are causing a catastrophe.

The features of Log4j

• It does not contain any threads.
• It is designed to be quick.
• It is built on the concept of a named logger hierarchy.
• It is in favor of internationalisation.
• It allows for numerous appender outputs per logger.
• It isn’t limited to a specific set of amenities.
• By extending the Layout class, you can change the log output format.
• It’s built from the ground up to handle Java exceptions.
• A configuration file can be used to change the logging behavior at runtime.

Log4j’s Benefits

• It is open-source.
• With log4j, it is viable to reserve the flow details of automation in a database of a file.
• Log4j is operated for large as well as diminutive projects.
• In log4j, we employ log statements instead of SOPL statements within the code to understand the state of a project while it is running.

A simple explanation of the Log4j vulnerability

The Log4j vulnerability, which is named “Log4shell,” enables attackers to execute malicious code remotely on any target computer. This means attackers can very easily install malware, steal data, or can take complete control of your system through the Internet.

Log4shell

As we have discussed, Log4shell is one of the most significant vulnerabilities of the decade. Alibaba reported this vulnerability to Apache on 24th November 2021, and it was officially published on Twitter on December 9th, 2021. The services affected by this Log4shell vulnerability include Cloudflare, Tencent QQ, Twitter, iCloud, and Minecraft: Java Edition. Apache itself has assigned a CVSS score 10 to Log4shell, making it a critical vulnerability in terms of severity. 

As Log4j is an open-source library, hence many organizations use it. The usage of Log4j is directly proportional to the damage it causes.

We know that many organizations and firms are using Log4j, but why? Here are its advantages.

 Log4j and Log4shell are the reasons why Log4j is well-known and widely used, indicating the magnitude of the impact. Now, let us see how big is the damage.

How big is the damage?

The fact that Log4j is such an omnipresent chunk of software makes this vulnerability such a big deal. For example, assume there is a security lock company that is very popular and almost 80% of the population is using those locks, and one day you get to know that attackers can easily open these locks. Isn’t it terrifying? The same thing happens in Log4. Just like a popular lock company, Log4j is a part of Java, which has been very popular in software development since the mid-’90s. Very huge parts of the computer code run on Java, which contains the Log4j library. Many cloud storage companies like Amazon, Google, and Microsoft that offer the digital backbone for many other applications were affected. And the giant software sellers whose programs are used by millions, like Salesforce, IBM, and Oracle, were also affected. 

The devices such as TVs and security cameras that could connect to the Internet are also at risk. It has just become possible for hackers to break into nearly anywhere they want to steal information or plant malicious software. It may not be possible to hack everything, but it just got simpler to do so-just as if every lock on every door and business in town suddenly stopped working at once.

In addition to granting hackers access to the heart of a system, the vulnerability also allows hackers to bypass all of the typical defenses software companies employ to block attacks. Overall, it is a cybersecurity expert’s worst nightmare.

Is there anything we can do?

• Never click on a link that you are unsure of; this is the simplest way for hackers to insert malicious code into your computer. In other words, hackers and attackers are using phishing techniques to enter your system. So, if you find any email saying your account has been deactivated or delivery has been canceled, first, check if you actually have an account on that website, or contact the original customer care and find out.
• Ensure all applications that use log4j 2.x <= 2.14.1 and that use Log4j < latest Log4j 2.x version that uses insecure methods described in the Log4j security advisory are updated to the latest version. It may be time-consuming or complex to confirm that there is any insecure usage. Therefore, you should update to the latest version. 
• Those applications that have already been updated to Log4j version 2.15.0 or 2.16.0 and use no vulnerable configurations, patterns or APIs should be upgraded to the latest Log4j 2.x version with a lower priority.
• If you can’t upgrade to the latest Log4j 2.x version due to your Java 6 or Java 7 limitations, you may wish to update to the latest Log4j version available from the download link.

However, it is not the end, as recently, a second vulnerability has been identified with Log4j.

The second vulnerability

After cybersecurity experts spent days trying to patch or mitigate CVE-2021-44228, a second vulnerability involving Apache Log4j was discovered on Tuesday. 

The report of the latest vulnerability, CVE 2021-45046, declares the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was “incomplete in specific non-default configurations.” 

The patch for this issue has already been released by Apache, which is Log4j 2.16.0. The CVE says Log4j 2.16.0 fixes the issue by disabling JNDI functionality by default and removing support for message lookup patterns. Prior releases of the software were able to mitigate the issue by removing the JndiLookup class from the classpath.

InfosecTrain

InfosecTrain is the leading provider of consultancy services, certifications, and training in information technology and cyber safety. Our accredited and skilled trainers will help you understand cybersecurity and information security and improve the skills needed. So if you want to know more about security topics like this, check out our website.

AUTHOR
Yamuna Karumuri ( )
Content Writer

“ Yamuna Karumuri is a B.tech graduate in computer science. She likes to learn new things and enjoys spreading her knowledge through blogs. She is currently working as a content writer with Infosec Train. “