• Contrast Security
  • Book a Demo

What is Log4Shell?

Open-Source

 

Overview

 

What is log4j?

First, let's talk about the affected package. log4j is a programming library (ie. pre-written code) that appears in millions of computer applications globally. It is free, open-source, and has been widely-used since 2001. Applications use Log4j to write short amounts of information into files/databases for “logging” purposes.

 

What is Log4Shell?

Log4Shell is the nickname provided to the Remote Code Execution (RCE) vulnerability that was disclosed in the log4J utility managed by the Apache Foundation. Specifically, Log4Shell refers to [CVE-2021-44228] and associated vulnerabilities.

If an application is using a vulnerable version of log4j, an attacker can trigger the application to reach out to an attacker-controlled host which then deploys malicious code on the application’s server and gives the attacker control over the application and the server it sits on.

A single web request can be enough to initiate a log4j hack. Often the request can occur even before a user is authenticated.

Log4j Contrast Demonstration

 

Impact

Log4Shell is a critical vulnerability, and can allow attackers to execute malicious code remotely to a target. If exploited, impact can range from theft of data, installation of malware, and full takeover of the system.

 

How to fix

log4j2

For users of log4j2, please upgrade log4j-core to the latest version available. In versions that cannot be upgraded, remove the JNDI Lookup class from the class path via the following:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.      

 

For custom applications, we recommend that you update the library, rebuild, and redeploy the application

For vendor applications, obtain updated software from the vendor. If they do not have an update or you did not apply the update, your systems and their data are at high risk for remote exploitation.

 

Log4j1

Teams that locate log4j1 should follow recommendations to either upgrade to log4j v2.17 or to remove the JMSAppender and SocketServer classes from the library. To do this run the following (with your version of log4j in the path):

zip -d log4j-1.x.x.jar org/apache/log4j/net/JMSAppender.class
zip -d log4j-1.x.x.jar org/apache/log4j/net/SocketServer.class

 

Teams should also leverage a security solution that will offer SCA (Software Composition Analysis) and SBOMs (Software Bill of Materials) creation, to easily detect if their applications are vulnerable to this CVE. Companies like Contrast Security offer a complete product suite, with a free developer tier, CodeSec, that can be used to locate log4j and other vulnerable libraries. SBOM are great inventories that provide immediate guidance on which applications are affected so that you or your security team can take action.

We recommend looking at other applications where you have not yet created an inventory for. You can use a tool such as SafeLog4J to evaluate these applications.

 

Congratulations!

You’ve learned what Log4Shell is and how to protect your systems from it. We hope you will apply your new knowledge wisely as you code! Feel free to share this with your network. Also, make sure to check out our lessons on other common vulnerabilities.

Want to make a revision on this learning module? Click here to create a pull request!

 

Featured in:

BLOG: Log4Shell By The Numbers

BLOG: Log4Shell still an issue, but CodeSec audit can help

Up Next!

Cross Site Scripting (XSS)

New Icon

Cross Site Scripting (XSS)

Learn about Cross Site Scripting (XSS) and how it affects your Java source code

SQL Injection - Java-1

New Icon

SQL injection

Learn about SQL injection and how it affects your Java source code

Client Side Injection

New Icon

Client Side Injection

Learn about Client Side Injection and how it can affect your source code

JAVASCRIPT

Server-Side Request Forgery (SSRF)

New Icon

Server-Side Forgery 

Learn about Server-Side Request Forgery (SSRF) and how you can source code from it

JAVASCRIPT