Log4j Broke the Internet. Here’s what Happened.

I’m sure you must have seen the word “log4j” pop up on emails, messages and any sort of social media feed, everywhere! If you know a cyber security professional please give them a Christmas cookie and some words of encouragement- because the odds are high that they’re still running around sleepless trying to keep up with this vulnerability that affected every corner of the internet.

 

I hope this post will clear up some misunderstandings about the significant vulnerability that affects Log4j, a java logging library. I’ll go over the vulnerability, its consequences, how it works, and ultimately how to protect yourself or your company.

 

What is Log4j and why is it important?

 

The Log4j 2 library is used in enterprise Java software and is included in Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift. Because Log4j is so widely used, the flaw will affect a wide range of products and services from a number of different vendors. This vulnerability can also affect your applications if they use Log4J. 

 

Log4j 2 is a Java-based log library that is widely utilized in the creation of business systems, as well as in different open-source libraries and directly embedded in leading software applications. 

 

Log4j has been downloaded millions of times and is one of the most widely used tools for gathering information about computer networks, websites, and business applications. It is distributed free of charge by the non-profit organization Apache Software Foundation.

 

So how bad is this Log4j vulnerability?

 

Hmmm, pretty bad.

 

The vulnerability is a remote code execution flaw that allows an attacker to take complete control of any compromised system. It basically allows attackers to remotely execute code on the target computer, allowing them to steal data, install malware, or take control. An attacker can use this vulnerability to take control of a Java-based Web server and perform a remote code execution attack. 

 

It was discovered on December 9, 2021 by the Alibaba Cloud Security Team. It might allow an attacker to compromise a system running Apache Log4j version 2.14.1 or earlier and execute arbitrary code on a vulnerable server. The vulnerability, formally identified as CVE-2021–44228, affects Java-based applications employing Log4j 2 versions 2.0 through 2.14.1.

 

With a single request to execute code, an unauthenticated remote attacker can take control of a vulnerable machine. 

 

Am I impacted?

 

The answer is yes, you’re probably impacted.

 

With a CVSS score of ten out of ten, the Log4j vulnerability is considered big!

 

This is due to the fact that it allows any unauthenticated attacker to execute malicious code remotely by simply injecting a well-crafted payload. This means that every Java app that logs user-controlled data using Log4j is a backdoor for remote code execution. There are some MAJOR names who have been affected including Google, Apple, Steam, Amazon, Tesla, IBM and LinkedIn.

 

You can check out the full list of affected software and tools here: 

https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

 

How do I fix the log4j Vulnerability?

 

Upgrading to patched versions of Log4j 2 or affected applications will address this vulnerability. However, if it is not possible to update your version of Log4j, you can follow the instructions from the Apache Foundation to fix the vulnerability found here: https://logging.apache.org/log4j/2.x/

 

The other point to note is that even though you might not use log4j (versions 2.0 to 2.14.1) directly in your software, you may have other 3rd party tools that use log4j. 

 

In addition to updating Log4j 2, some Cloud Security products can help detect and temporarily mitigate the vulnerability until the patch is applied, so contact your cloud service provider as they may have some solutions as well.

 

 

Written by

Devasha Naidoo

Senior Technology Architect

Roll out The Red Carpet – dbt is ready to Change the Way We Transform Data.

I got introduced to DBT when I started at Vantage Data nearly a year back and although I’ve heard of DBT before, I really didn’t understand the full capabilities until I got my hands dirty. Looking back, all I can say is WOW! Using DBT together with something like...

The dbt Bootcamp: Transform your Data using Data Build Tool

Description Are you looking for a cutting-edge way to extract load and transform your data? Do you want to know more about dbt aka Data Build Tool and how to use it? Well, this is the course for you. Welcome to The dbt Bootcamp: Transform your Data using Data Build...

dbt London Meetup!

Bringing communities together to connect, collaborate, and learn about DBT 25 May 2022 | 5pm | The Devereux hosted with All UK based folks, join the Vantage Data Team for some food, drinks and refreshments 🍻 and to chat all things data engineering and dbt. We...

REQUEST A DEMO

4 + 13 =