Log4j not so technical

4 min readDec 14, 2021

IT-Security experts, administrators and developers have been working around the clock lately due to a critical vulnerability discovered in the popular Java Library Log4j. So I will try to break this down for not-so-technical but interested persons.

What is a Library?

Today’s software and software development predominately use pre-made libraries to enhance their effectiveness and functionalities. Software library generally consists of pre-written code, configuration data, and more. Typically, a developer might manually add a software library to a program to achieve more functionality or automate a process without writing the code from the bottom up.

Use case: Develop an application to estimate real estate pricing development based on historical data. The developer may add a mathematical library to the program to eliminate writing complex statistic functions from the bottom up but. But instead, use pre-made functions/code to do the same job.

The Java Library Log4j

Log4j is a popular Java library developed and maintained by the Apache Foundation(the world’s largest open-source foundation), -so anyone can use it for free. The library is widely adopted and used in many commercial and open-source software products as a logging framework for Java. Companies and developers use the logging library to track the activity on their servers (or even client-side apps).

Use case: When you visit a website, your IP address, browser, and the pages you visit are registered by the logger. This data related to activity can help companies solve their service problems.

What is this vulnerability all about?

A Zero-Day (0-day) exploit in the popular Java logging library log4j (version 2) was registered and reported to the mass, going under the name Log4Shell.

0-day exploit?

When a computer software vulnerability either is unknown to those interested in its mitigation (including the vendor of the target software) or known, and a patch is not available. Hackers can exploit the vulnerability to negatively impact and affect programs, data, additional computers, or a network until the vulnerability is mitigated.

Who is affected -no correction, who is not affected?

I believe it is fair to say you should expect to be vulnerable for the Log4shell in your IT environment, in one or another form. See an extensive list of affected services, vendors, and third parties here.

The impact of the exploit

The Zero-Day attack related to Log4J resulted in unauthenticated, remote code execution(RCE) by logging a particular string. Cybercriminals can easily manipulate log strings and fully control servers and clients. How? One of the main reasons for this vulnerability is that some versions of Log4j can execute arbitrary text through a directory lookup protocol (LDAP protocol).

Bleeping Computer noted in its report that attackers are installing crypto miners, malware/ransomware, and deploying botnets for DDoS (Distributed Denial of Service) attacks. Microsoft’s threat intelligence team has also noted that many attackers use the Colbat Strike penetration detection tool for credential theft.

The impact of the exploit (complete server control) combined with the ease of execution ranks this as a high severity vulnerability(analyses and ranking id: CVE-2021–44228, CVSSv3 10.0).

CVE & CVSS?

Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System (CVSS)

CVSS is the overall score assigned to a vulnerability. CVE is simply a list of all publicly disclosed vulnerabilities, including the CVE ID, a description, dates, and comments. The CVSS score is not in the CVE listing — you must use the NVD to find assigned CVSS scores.

NVD — The National Vulnerability Database (NVD) is a database maintained by NIST, that is fully synchronized with the MITRE CVE list.

Where to go from here?

Some recommendations from the Swiss Government Computer Emergency Response Team

If patching is not possible for whatever reason, we strongly recommend isolating the system from the Internet and/or to apply the following mitigation measures:
For version >=2.10: set log4j2.formatMsgNoLookups to true
For releases from 2.0 to 2.10.0: you may want to remove the LDAP class from log4j completely by issuing the following command: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
For certain JVM Versions, it is possible to set com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to false to mitigate the vulnerability. Some JVM versions already have this as default setting
You may check for exploitation attempts — no matter whether they were successful or not — in your web server logs using the following Linux/Unix command: sudo egrep -i -r ‘\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+’ /var/log/

(…)

Summary

In the worst case, this vulnerability can cause a takedown or hurt your business significantly. So take measures and gather and inform your teams(technical and not technical resources) and work systematically, get help from professionals, and adequately plan for the Christmas holiday shift. The vulnerability is out and attackers do not take holiday. Even if it is not business days or hours, be operative and proactive to protect your business 24/7.

I hope this article gave you some valuable inputs, some learning outcomes, and an understanding of what we are in the middle of and will be for the time to come.

Referances:

https://www.techopedia.com/definition/3828/software-library
govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
apache.org
msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021–44228-apache-log4j2/
lunasec.io/docs/blog/log4j-zero-day/
balbix.com/insights/whats-the-difference-between-cve-and-cvss/
randori.com/blog/cve-2021–44228/
https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/
https://en.wikipedia.org/wiki/Denial-of-service_attack
https://www.paloaltonetworks.com/cyberpedia/what-is-botnet
https://docs.microsoft.com/en-us/previous-versions/tn-archive/dd632948(v=technet.10)?redirectedfrom=MSDN