At the end of 2021 a vulnerability was discovered on Log4j—a Java-based software that large organizations, including some of the world’s biggest tech firms, use to log information in their applications—that wreaked havoc on the internet on a global scale. Hackers were actively attempting to exploit the vulnerability by the minute.
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN at the time.
In this blog, we’ll break down how it started, what the impact was, and what happens (or should happen) next.
The Inception: What is Log4j? Log4j is a Java logging library that logs messages of activities on a software or device. The powerful library can create simple logs and execute commands to create advanced logging and integrate with other components.
Log4j is widely used across consumer and enterprise systems, in everything from iCloud, Steam and Minecraft, to Fortinet, IBM, Microsoft, Red Hat, Salesforce, Siemens, and other major enterprises.
What is the Log4j vulnerability? Known as Log4Shell, it is a remote code execution (RCE) vulnerability that, if left unmitigated, enables a malicious threat actor to execute arbitrary Java code to take control of a target server. The troubling part is that it is easy to exploit and doesn’t require authentication.
And it gets worse.
The vulnerability can allow malicious actors to execute software or insert backdoors on systems to maintain persistent ongoing access.
Timeline of Events:
- November 24, 2021—threat was discovered by a security researcher and reported privately to the Apache Foundation.
- December 1, 2021—exploitation was observed according to Cisco Talos and Cloudflare.
- December 6, 2021—Apache released the initial and partial patch.
- December 9, 2021—threat discovered publicly on Minecraft servers.
- December 13, 2021—second patch released to mitigate leftover issues from first patch
- December 17, 2021 and December 28, 2021 respectively—third and fourth patch released to fix related issues.
Log4j is a very ubiquitous Java logging library—it can be found in nearly everything written in Java or depends/relies on Java software. Some examples of major recognizable platforms impacted are Apple, Amazon, Google, Cloudflare, Twitter, and Minecraft.
Exploitation is simple and does not require authentication. For example, a bad actor
- tricks the Log4j library into downloading and executing malicious code by submitting a HTTP request containing a lookup expression to the targeted application
- exploits and compromises any publicly available web application on the Internet
- Uses it as an initial vector to inject other malware into affected servers (ransomware, coinminer, bot, etc.).
How Does It Work Exactly?
- A bad actor injects a malicious payload via a user-supplied input. A bad actor can use HTTP header or other fields that are logged by Log4j.
- The application receives the request and logs the input.
- The Log4j library processes the log entry, interprets the lookup expression, and connects to a malicious LDAP server that the bad actor controls.
- The malicious LDAP server responds and instructs the application to download a malicious class file.
- The application downloads and executes the malicious Java class file.
We may not be hearing as much about it in the news, but organizations are still struggling to identify and patch affected systems because of how pervasive the Log4j library is. Many organizations are still unpatched because of the complexity of updating software across multiple interdependent systems at once. Other organizations are relying on the fact that their affected systems are not directly exposed to the Internet to delay patching. However, those systems can still be targeted via other means and once compromised, create as big a threat as public systems.
It is estimated to impact hundreds of organizations and thousands of systems. That number continues to rise as researchers—and criminals—continue to scan the Internet for affected systems.
How Can Trava Help?
Trava’s comprehensive risk assessment platform can help in several areas:
- Trava’s web application scan, external scan, internal scan, and agent scan are all capable of detecting systems vulnerable to Log4Shell.
- Trava’s surveys can help companies mature their security program and implement an effective Defense in Depth in case public servers get compromised.
Download Trava's Complete Guide to Vulnerability Scan types that details
- A description of each scan type
- Key insights learned from each scan
- Recommended frequency for running each scan
Then schedule a demo to see Trava's vulnerability risk assessment tool in action.