What is log4j?
First, let's talk about the affected package. log4j is a programming library (ie. pre-written code) that appears in millions of computer applications globally. It is free, open-source, and has been widely-used since 2001. Applications use Log4j to write short amounts of information into files/databases for “logging” purposes.
What is Log4Shell?
Log4Shell is the nickname provided to the Remote Code Execution (RCE) vulnerability that was disclosed in the log4J utility managed by the Apache Foundation. Specifically, Log4Shell refers to [CVE-2021-44228] and associated vulnerabilities.
If an application is using a vulnerable version of log4j, an attacker can trigger the application to reach out to an attacker-controlled host which then deploys malicious code on the application’s server and gives the attacker control over the application and the server it sits on.
A single web request can be enough to initiate a log4j hack. Often the request can occur even before a user is authenticated.
Log4Shell is a critical vulnerability, and can allow attackers to execute malicious code remotely to a target. If exploited, impact can range from theft of data, installation of malware, and full takeover of the system.
How to fix
For users of log4j2, please upgrade log4j-core to the latest version available. In versions that cannot be upgraded, remove the JNDI Lookup class from the class path via the following:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
For custom applications, we recommend that you update the library, rebuild, and redeploy the application
For vendor applications, obtain updated software from the vendor. If they do not have an update or you did not apply the update, your systems and their data are at high risk for remote exploitation.
Teams that locate log4j1 should follow recommendations to either upgrade to log4j v2.17 or to remove the JMSAppender and SocketServer classes from the library. To do this run the following (with your version of log4j in the path):
zip -d log4j-1.x.x.jar org/apache/log4j/net/JMSAppender.class
zip -d log4j-1.x.x.jar org/apache/log4j/net/SocketServer.class
Teams should also leverage a security solution that will offer SCA (Software Composition Analysis) and SBOMs (Software Bill of Materials) creation, to easily detect if their applications are vulnerable to this CVE. Companies like Contrast Security offer a complete product suite, with a free developer tier, CodeSec, that can be used to locate log4j and other vulnerable libraries. SBOM are great inventories that provide immediate guidance on which applications are affected so that you or your security team can take action.
We recommend looking at other applications where you have not yet created an inventory for. You can use a tool such as SafeLog4J to evaluate these applications.
You’ve learned what Log4Shell is and how to protect your systems from it. We hope you will apply your new knowledge wisely as you code! Feel free to share this with your network. Also, make sure to check out our lessons on other common vulnerabilities.
Want to make a revision on this learning module? Click here to create a pull request!
BLOG: Log4Shell By The Numbers