Apache Log4j Vulnerability
Researchers have discovered a critical vulnerability in Apache Log4j library.
Various information security news outlets reported on the discovery of a critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). Millions of Java applications use this library to log error messages. To make matters worse, attackers are already actively exploiting this vulnerability. For this reason, the Apache Foundation recommends all developers update the library to version 2.15.0, and if this is not possible, use one of the methods described on the Apache Log4j Security Vulnerabilities page.
Why CVE-2021-44228 is so dangerous
CVE-2021-44228, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If attackers manage to exploit it on one of the servers, they gain the ability to execute arbitrary code and potentially take full control of the system.
What makes CVE-2021-44228 especially dangerous is the ease of exploitation: even an inexperienced hacker can successfully execute an attack using this vulnerability. According to the researchers, attackers only need to force the application to write just one string to the log, and after that, they are able to upload their own code into the application due to the message lookup substitution function.
What is Apache Log4J and why is this library is so popular?
Apache Log4j is part of the Apache Logging Project. By and large, usage of this library is one of the easiest ways to log errors, and that is why most Java developers use it.
Many large software companies and online services use the Log4j library, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more. Because the library is so popular, some information security researchers expect a significant increase in attacks on vulnerable servers over the coming days.
Which versions of the Log4j library are vulnerable and how can you protect your servers from attack?
Almost all versions of Log4j are vulnerable, starting from 2.0-beta9 to 2.14.1. The simplest and most effective protection method is to install the most recent version of the library, 2.15.0. You can download it on the project page.
If for some reason updating the library is not possible, Apache Foundation recommends using one of the mitigation methods. In the case of Log4J versions from 2.10 to 2.14.1, they advise setting the log4j2.formatMsgNoLookups system property, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
To protect earlier releases of Log4j (from 2.0-beta9 to 2.10.0), the library developers recommend removing the JndiLookup class from the classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.
In addition, it's recommended to install security solutions on your servers — in many cases, this will allow you to detect the launch of malicious code and stop the attack’s development.
To talk to one of our cyber security specialists today, about how Qual can help your business overcome this threat, by clicking the button below.