On 9th December 2021, the world was made aware that a critical security flaw has been found in the Java logging package log4j, identified as CVE-2021-44228. Thus, you should update the log4j packages that you use, as soon as possible to mitigate the risks that it could incur! The log4j vulnerability affects all versions from 2.0-beta9 through 2.12.1, and 2.13.0 through 2.14.1, which also includes 2.15.0-rc1. So updating your version isn’t optional — it’s imperative!
What exactly is Log4j?
The Java-based library, Log4j, has recently been found to have a serious vulnerability. Using a specially crafted string of characters, hackers can use your log files against you by either crashing or shutting down your program. Hackers are only able to access these files if they’re already in physical possession of your server/computer, but that doesn’t make it any less disconcerting. Fortunately for us all, there are ways you can fix it on both your local computer and on a cloud system like Amazon Web Services (AWS).
The Problem: What is the CVE-2021-44228 log4j vulnerability?
Logging frameworks are fundamental components in many software programs. The framework is a means of enabling logging that allows users to easily implement their logging mechanisms. Unfortunately, if your program uses an outdated version of log4j you may be vulnerable to a critical security exploit. This vulnerability has earned a CVSS severity base score of 10.0 (the most critical designation) and offers trivial remote code execution on host devices that runs software that utilises the vulnerable log4j version. This attack is being dubbed as “Log4Shell”.
If left unpatched, an attacker could gain access to your system with no more effort than sending you an email; in fact, they don’t even need to know your email address. They just have to send an attachment – something as simple as a .jpg picture – which will trigger a reverse shell in your device, thereby giving access to the attacker and can wreak havoc on your business and maybe others associated with your device through privilege escalation. Fortunately, there’s an easy way to mitigate things: upgrade. New versions of log4j contain fixes for this vulnerability, so check into upgrading immediately. While most developers are pretty good about keeping up with updates (and then there are some), you still want to look over things yourself and make sure there isn’t anything out-of-date lurking around your development environment.
Nearly all Java applications use log4j. Just read that again: nearly all Java applications using log4j are vulnerable. That makes it one of the biggest and most ubiquitous vulnerabilities discovered in a core system of Java, which affects millions of apps on servers around the world since Heartbleed (apart from Shellshock). Today’s find could be more devastating; it’s twice as comparable to Heartbleed in terms of potential for damage if exploited by hackers.
Unlike Heartbleed, however, today’s vulnerability has nothing to do with OpenSSL—the problem comes from within a different part of OpenJDK, its implementation of Java Development Kit. According to Renato Botelho, who disclosed the flaw, anyone can upload a script into /tmp folder or any other folder writable by user java. The flaw allows an attacker to upload a web shell that can then execute code remotely on affected computers. From there, things get even worse: bots can easily spread attacks across large groups of machines because it doesn’t require an internet connection – all they need is access to local network resources via SMB.
The most critical thing now would be an emergency patch released by Oracle (and applied immediately), though Botelho suggests people update their version to 1.2.27 or newer which should already have fixes included.
For a growing community-supported enumeration of software and services vulnerable to CVE-2021-44228 with screenshots for verification, check out this GitHub repository:
How is this Vulnerability exploited?
The flaw was found in a third-party library that supports Log4j, called Commons Collections. The vulnerability allowed an attacker to construct a malicious appender that could log sensitive information on behalf of another program. If your application uses Log4j (or you’re using another library based on it), then you need to know how to fix it. If you’re not sure whether your application is vulnerable, or if you’re unsure about what steps to take once you know for sure, read on for an overview of how it works and some recommendations for mitigation. The fastest way to begin addressing any security issue is by recognizing where it might be lurking. In that regard, let’s look at how Log4j stores its configuration data: In most cases, developers create either XML files or Java properties files (.properties) in which they store each piece of data for their particular configuration.
They might have several different files with varying configurations depending on individual environments. These are loaded into memory during startup using DataConfiguration objects, one per file. Each DataConfiguration instance loads its respective file from disk and then passes it to a Configuration() object along with additional context as necessary (this can include things like filter classes). The Configuration() class takes care of verifying that all of these parameters are valid—only once that validation completes does Log4j do anything else. This process sounds straightforward enough; however, there’s one problem—the default method used by Commons Collections didn’t check to see if filenames contained potentially malicious code when loading them into memory.
If you’re on Windows, change your path variable’s value from
%HOMEPATH%/bin to %HOMEPATH%\AppData\Local\bin.
If you are on OS X or Linux, you can either remove log4j completely by deleting its directory under /usr/lib/log4j or use sys-devel/dev-java/ant-contrib version 1.8.1p1 or newer that was released today (Changelog). Some reports updating Ant alone isn’t enough though; once Ant updates, run ant -Declipse.home=/path/to/your/eclipse_directory once again. The updated versions of Log4j and libAJP13 no longer allow an attacker to perform a Denial of Service attack against apps. According to Daniel Rettenwander’s ticket in OpenJDK 6 Bug Database, the final fix was made in revision 2355759 while fixing issue 6015991 and there were at least several attempts of fixing it previously since June 2011 so we could conclude that: This vulnerability is two years old but only recently came back into public attention due to it being included in Metasploit 4 Community Edition.
Now, log4j version 2.16.0 is available that patches this vulnerability (JNDI is fully disabled, support for Message Lookups has been removed, and the new DoS vulnerability CVE-2021-45046 is not present). Check out this GitHub repository for the updated release:
The Log4j vulnerability was caused by a simple configuration mistake. While no one likes running into these issues, it doesn’t mean you should ditch your project for another logging framework. All it means is that you need to check your logs regularly for errors and make sure you aren’t leaving yourself open to such vulnerabilities.
Every line of code needs a critical eye, so now is as high time as any for that periodic audit! Is everything up to date?
Do you realise every last bit of what’s going on? Or maybe you don’t even use that old version anymore, but never took it out? Now is a great time to take inventory. Don’t just remove potential vulnerabilities from your code but also keep them from returning in future versions by removing support for deprecated features where appropriate. Getting rid of obsolete functions, classes, or variables helps ensure stability while removing user confusion when they encounter messages informing them that such methods or capabilities aren’t currently available. Once complete, compare what was removed with an updated list of capabilities and calls provided by current functions and classes included within your development environment’s libraries before checking your changes into source control. Don’t forget to update your documentation too! After all, if people can’t figure out how to get started using your program without calling someone who knows its history first, they’re not likely to stick around very long…or hire you again!
You could come across other important security flaws in your dependencies or environment. So keep an eye on those things as well when looking at what needs patching! We don’t want to share a full-blown exploit without providing some forewarning. That would be irresponsible on our part. Before we get into that though, let us preface by saying there are many levels of expertise present when it comes to software development and vulnerability research.
No matter where you fall along these spectrums however we have no doubt all developers would find value in making these areas their respective strengths rather than weaknesses. We will see this vulnerability for years to come. Our hope is developers begin working towards understanding security topics more than they currently do which will ultimately make everyone more secure while being able to do their job easier as well.
Read this article and watch this video for a better understanding of the vulnerability.
Also, If you wish to delve into hands-on experience in understanding this vulnerability better, then check out this room at TryHackMe for free. This room will showcase how you can test for, exploit, and mitigate this vulnerability within Log4j.
A special thanks to my friend Sayak Karar, who assist me in writing this article.
You can also follow Sayak on LinkedIn, here is the link- Sayak Karar | LinkedIn