Log4j Vulnerability: Everything You Need to Know
The recently discovered Apache Log4j vulnerability has seen organizations and security vendors rushing to patch affected systems. Unfortunately, this severe security flaw can affect many more applications and systems over time, even after patching.
Malicious actors have leveraged the Apache Log4j vulnerability to target numerous corporate networks worldwide, making it a highly severe flaw.
While its discovery dates back to November 2021, the first official report was on December 10. By then, the log4j vulnerability had already affected nearly a third of global web servers, according to Cybereason.
Check Point, a leading cybersecurity firm, described Log4j as a severe vulnerability, having prevented over forty-three million attempts from gaining access to systems. It further reported that 46% of those attempts came from known malicious groups.
Now, as more organizations rush to patch the vulnerability, it’s critical to understand what has happened since its discovery.
Here’s everything your organization should know about the Apache Log4j vulnerability, its effects, and mitigation guidance.
What is Log4j?
Log4j is an open-source software from Apache Software Foundation developers. It’s coded in Java and runs across Windows, macOS, and Linux.
Log4j allows the creation of built-in logs – records of activities from troubleshooting issues or tracking data within programs. Many organizations use Log4j as their logging library of choice because of its open-source and free nature.
Log4j v1 emerged 21 years ago as a standard logging library for Java apps. Today, Log4j v2 is one of several java-based applications’ logging services.
Its distribution under Apache Software Foundation License as open-source software has made it a popular choice for many organizations worldwide. It’s a straightforward mechanism to log applications and user-generated data from within applications.
Log4j contains Java Naming and Directory Interface (JNDI) class, providing object and variable lookup resolution. The resolution process allows hackers to launch exploits with infections ranging from a simple mass scan to look for other hosts to infect to installing backdoors for data exfiltration.
What is the Apache Log4j Security Vulnerability?
The Log4j vulnerability allows hackers to execute code remotely on target systems and computers. It’s a high-profile security vulnerability whose severity score is ten out of ten.
Attackers were able to send server commands that vulnerable servers would execute. It included a Remote Code Execution (RCE), a critical class of infection that gives attackers full remote control access to host systems, allowing them to launch anything they want.
An Alibaba cloud security team member first discovered the Log4j vulnerability on November 24, 2021, and reported it to the Apache Open-source project team. The US government later reported the security flaw on December 10 through the Cybersecurity and Infrastructure Security Agency (CISA).
Soon after the public announcement, threat actors rushed to write software that could scan for and exploit the log4j vulnerability at scale. Others distributed the code for free and launched bots to scan and exploit weak systems.
The threat surface of zero-day vulnerabilities continues to grow, putting more open-source software applications at risk.
Speaking to Toolbox, Kayla Underkoffler, a senior security technologist with HackerOne, said that open-source is behind most modern digital infrastructures. He added that the average application uses around 528 open-source components, significantly increasing the threat surface.
Unfortunately, organizations do not control the open-source software, making it challenging to fix supply chain weaknesses.
How Log4j Works and How Attackers are Exploiting It
The new Apache zero-day log4j vulnerability allows easy-to-exploit RCE attacks. Hackers can use the Java logging library vulnerability to insert text into log messages to load the code from remote servers.
Additionally, targeted servers can execute codes via Java Naming and Directory Interface (JNDI) calls, connecting their interface with several services, including:
- Lightweight Directory Access Protocol (LDAP)
- Java’s Remote Interface (RMI)
- Domain Name Service
The attackers can then exploit URLs, LDAP, RMI, and DNS by redirecting to external servers.
Unfortunately, the discovery of the Log4j vulnerability and subsequent patches created another problem.
Since attackers knew patches were available and their window of launching carefully-crafted attacks was closing, they rushed to install or copy pieces of code into target systems that would lay dormant until their activation. It means that more sophisticated attacks are yet to come.
Who Does the Log4j Vulnerability Affect?
Several enterprises have already fallen victim to the Log4j vulnerability, exposing millions of devices. The flaw has put big tech companies like Apple, Oracle, Cisco, Minecraft, Google, and Microsoft at risk. Nobody is safe from cloud platforms and email services to web applications.
Microsoft-owned Minecraft, a popular video games company, is one of the first victims of the log4j exploit.
So far, 12 cybersecurity vendors have also fallen victim to the vulnerability, according to CRN. These include CyberArk, Okta, Broadcom, F-Secure, Fortinet, SonicWall, VMware Carbon Black, Ping Identity, ForgeRock, Rapid7, Sopho, and RSA Security.
How Organizations Can Protect Against Log4j Zero-Day Vulnerability
The most common way to fix vulnerabilities is by installing system updates or applying patches. Similarly, Apache Log4j has released the Apache Log4 2 that promises to fix existing security issues in logback’s architecture. Logback is the successor to the log4j project.
Unfortunately, preventing a zero-day attack of new security events remains aspirational since most companies are still struggling to answer whether they are vulnerable. A key determinant in the efficiency of the security patches is how quickly an organization can implement the changes.
Elite performers who invest in cybersecurity and disaster recovery can complete their cycle in less than one hour. However, other organizations may take a day or week to complete the process since they spend time looking for the code to fix.
An organization’s security teams must adopt a defense-in-depth approach to prevent cybersecurity breaches and allow them to find and remove bugs. Additionally, securing poorly-funded software is critical for organizations that rely on it.
How to Secure Networks
The following can help keep organizations safe from a Log4j exploit:
1. Patch Early and Often
It’s best to build a system or process to ensure that future versions of your applications, code, software, servers, and workstations remain updated.
Do this by scanning patching using a regular cadence. For example, version 2.17.1 is the most recent patch level for log4j.
2. Develop Zero Trust
Treat your internal network with zero trust, just like everything outside. For example, you can develop the least privilege (zero trust) approach to only grant permissions when required and to limit access to those who genuinely need it for business continuity.
Additionally, you can isolate workloads from each other and deny certain traffics inside your network access by default if, for example, there is no need for an app or system to communicate.
3.Remove the Code
If it’s impossible to patch the latest code revision of a log4j based app, remove the JDNI lookup class function. However, please proceed with caution because it might affect how some applications function
4.Assume the Worst
Always assume all RCE base vulnerabilities lead to worm-able-based infections. Therefore, it would mean that other servers risk exploitation through the victim server. Assume all your networks and systems will be compromised.
5.Do Security Testing
Conduct purple team testing and have red teams attacking while blue teams verify visibility and ensure defenses like IPS and EDR work as intended. If something is not working accordingly, tune it and rerun it.
6.Investigate Malicious Activities
Look for indicators of attack or compromise if your organization runs a vulnerability version of log4j. For example, the vulnerability could include abnormally high resource utilization, unexpected log activity, strange network traffic through your workloads, and the creation of new users.
Create a system that tracks your network, including users, assets, and vendor software. If new unknowns appear, investigate them and track their origin.
How the US Plans to Protect Against the Apache Log4j Vulnerability
The US government recently released an emergency directive that set guidelines for federal civilian organizations and agencies to respond to the attack.
The government is also planning conversations with private and public partners to mitigate the log4j exploit and improve vulnerability management moving forward.
The CISA director Jen Easterly said the agency was working with other key public and private partners plus federal agencies like Joint Cyber Defense Collaboration, NSA Cyber, and the FBI to manage the evolving threat.
He added that CISA would continue updating its consolidated Log4j web page to help organizations reduce their risk.
The Bottom Line
Cybersecurity has always been a critical, ongoing requirement, but now has a more sense of urgency with the escalation of the number and intensity of cyberattacks.
The Apache Log4j security vulnerabilities have shown that organizations need to invest more in cybersecurity beyond meeting compliance requirements.
Additionally, while open-source software has numerous advantages, including its availability and free nature, organizations should start thinking about building software securely from the ground.
It’s also critical to provide transparency on vulnerable software libraries using the Software Bill of Materials (SBOM).
Explore More Resources
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.