Updated: Mar 2
Log 4j, which is a Java-based logging framework, has declared a security flaw or rather a vulnerability, much to the consternation of the cybersecurity teams all over the world.
It feels like one of those sci-fi movies has come to life, sending the whole world into a tizzy about how to save the world. Only, it is not a movie, and much damage could be done before everything is patched up for good. The sweeping leaps made by technology and the internet opens the doors for misuse of the power that comes with it. A radical cybersecurity flaw has pretty much hit the entire internet, exposing everyone from financial institutions to government agencies to attacks by cybercriminals and nation-states with their own political agendas. Attackers are actively exploiting the flaws, and these illicit activities are only expected to increase in the coming days if a proper security patch is not implemented on time.
The security risk is even more alarming because it has been discovered to be actively exploited in the wild, therefore the zero-day status. In layman’s terms, an exploit is a code that takes advantage of a software vulnerability or a weak spot in security. When the said exploit is widely published through forums or exploitation frameworks, it is referred to as exploitation in the wild. A zero-day exploit indicates that hackers are actively targeting the flaw, while a patch has not yet reached all the vulnerable systems. Well, let’s just say the log 4j vulnerability is that chink in the armor that is shark bait. As per the Common Vulnerability Scoring System or CVSS, the Apache team ranked the vulnerability as 10. This means that Log4Shell has been rated as a “Critical” vulnerability.
What is log 4j?
It is one of the components of the program used in the creation of software. It can be called a software library that is used by developers to keep an eye on all the activities of an application, which helps them track problems being faced by users. It is a logging library made by the open-source Apache Software Foundation. This open-source library is used by many organizations like IBM, Oracle, AWS, and Microsoft.
Logging is an important element of software development for the fact that it indicates the state of the system throughout the length of time a program takes to run. Therefore, log4j is used during the different phases of development.
This Java logging framework can be used in conjunction with JNDI, a Java API that encapsulates name and directory services, allowing Java programs to look up resources as Java objects. The vulnerability is in this integration, which is open to nearly any logged string input via Log4j. Much to our discomfort, JNDI is inherently flexible, and it is this flexibility in logged string formatting that makes the issue particularly difficult to discover and examine.
What are the vulnerable versions of log 4j?
Do not think for a moment that if you don’t use log4j in your application directly, you are safe. Frameworks and tools can potentially contain a vulnerable version in their distribution. The vulnerable versions of log4j2 are versions 2.0 to version 2.14.1 inclusive.
Needless to say, all the Apache frameworks like Apache struts2, Apache Soir, Apache Druid, Apache Flink, and Apache swift include the Log4j library.
The vulnerability was first detected by Chen Zhaojun of the cloud security team of the Chinese tech giant Alibaba.
This is being called the worst vulnerability to be discovered in the last decade.
Google analysis reveals that over 35000 java packages contain log4j vulnerabilities.
This security risk has been termed CVE-2021-44228 or Log4shell or Logjam.
There have been attempted exploits of the vulnerability on more than 44% of corporate networks around the world.
Tech heavyweights that use java are Google, Apple, Linkedin, Twitter, Amazon, Steam, etc.
Microsoft said that it had found evidence of the flaw being used by tracked groups based in China, Iran, North Korea, and Turkey. Those include an Iran-based ransomware group, as well as other groups known for selling access to systems for the purpose of ransomware attacks.
Minecraft was one of the first to acknowledge that the java edition of the game was at a major risk of being exposed to the threat.
What is the imminent vulnerability?
Everyone employing Log4j is potentially a target for attacks that can trigger remote code execution (RCE). It simply means that it could allow hackers to take control of a system. Internet-based attackers can take control of anything from industrial control systems to web servers and gadgets. The vulnerability comes from the fact that this code has been a part of millions of installations around the world. Since it enables quick, password-free entry, it's ideal for cybercriminals to get full server control. Thus, it becomes possible for the attackers to use the weakness to gain remote control of an unpatched system and use it as their own. Experts believe this might enable attackers to do everything from stealing user data to taking control of real-world infrastructure. This can entail things like stealing emails, damaging files, and installing malware. The compromised software, which is developed in Java, records user activities. It is immensely common with commercial software developers. It runs on a variety of platforms, including Windows, Linux, and Apple's macOS, and is used to power everything that runs on software, from webcams to auto navigation systems and medical gadgets. There’s hardly anything in this digital world that doesn’t use the program, and it is not limited to a few countries but the entire globe. Log4j is literally ingrained in every Java-based product or online service, and it is something that cannot be fixed manually. Meanwhile, some hackers are already exploiting the vulnerability to carry out attacks such as installing crypto miners on victims' computers, stealing user credentials, and stealing data from vulnerable systems. But what adds to the problem is the fact that it can be exploited either over HTTP or HTTPS.
The majority of attempts related to the Log4j vulnerability, according to Microsoft's threat intelligence team, have been tied to scanning attempts initially. The attackers were attempting to determine whether or not potential victims are vulnerable to attack. Stats have revealed that over 100 hacks per minute are attempted per minute to exploit the log4j vulnerability. Delivering crypto-mining malware and Cobalt Strike, a legal penetration-testing program that cyber thieves have been known to use to collect usernames and passwords to gain additional access to networks, are just a few of the attacks that cybercriminals have launched. But if experts are to be believed, crypto mining could be a smokescreen to attack high-value targets like banks, state security, and critical infrastructure.
Steps to mitigate
Looking at the current state of affairs, it would be unwise on the part of organizations to think that they are safe from this onslaught. It makes everyone using the program sit ducks for hackers to invade and control. However, because there are so many potential attack paths for this exploit and patching will take so long, it's also vital to have measures in place to combat any emergent threats from the Log4j exploit. Therefore, checking your exposure to it and fixing the vulnerabilities should take precedence. Though as threatening as this may sound, the good news is, there are steps that can be taken to make sure that your systems are protected.
1. The first step is to detect whether log4j is present in your applications, wherever you find Log4j, you need to update it to the latest 2.17.0 version patch.
One of the most widely recommended mitigation options for exploits is virtual patching. Virtual patching is based on the idea that in order to exploit a software fault, exploits must follow a defined path to and from the program. As a result, rules at the network layer can be created to control communication with a target software. You can prevent exploits from doing what they set out to achieve to some extent by inspecting traffic for protocols used.
2. You should also disable log4j lookups to protect the system from exploitation. Also, log4j Jar files should be removed or modified. Blocking dangerous requests that can trigger a JNDI lookup at the web application firewall is a small step to make scanning by lower-level attackers less effective. If at all possible, limit network egress from hosts with susceptible software.
3. Keep an eye out for third-party vendor patches and install all updates and security patches issued by manufacturers and vendors as soon as they become available.
4. Installing a web application firewall with rules that focus on log4j is another form of defense.
5. The National Cybersecurity Centre (NCSC) recommends setting up alerts for probes or attacks on devices running Log4j.
Log4j has taken the globe by storm, and it appears to be here to stay. Log4j will keep the IT community busy for months to come because there is no standard solution for a vulnerability of this magnitude. As things stand, security researchers, defense teams, and white hat hackers are all scrambling to figure out how widespread this flaw is and what would the long-term consequences of such an invasion entail. While the situation appears to be dire at the time, users should still make it a priority to minimize this vulnerability by following the aforementioned suggestions and the recommendations by the cybersecurity experts. Still, need some professional advice? We at Praavah consulting are happy to be of assistance if you feel exposed to the threat and are looking for a digital transformation agency that you can trust.