CIOInsider India Magazine

In shut-eye time, Log4j vulnerability has become one of the worst cyber security flaws to have been discovered. Critical exposure to the malware of java programming language puts global IT landscape on alert. Apache log4j team invented Log4j as one of the several Java logging frameworks and it is a successor of log4j1. According to researchers from famous firms, the exploitation of the bug has been started from the beginning of the month which causes huge impact on applications.

What is Log4j Vulnerability?
Vulnerability came to light on December nine, when Alibaba’s cloud security team advised about the flaw. The vulnerability has since been named Log4Shell, an ominously simple method for executing code in Java applications, log4j can be configured through a configuration file or a java code. Configuration files can be written in XML, JSON, YAML, or properties file format. Within a configuration, one can define three main components that are Loggers, Appenders, and Layouts. Configuring logging via a file has the advantage that logging can be turned on or off without modifying the application that uses Log4j. The application can be allowed to run with logging off until there's a problem and then logging can be turned back on simply by modifying the configuration file.

How Does Log4j Work?
Log4j is used for large platforms, apps and services. The detailed application of the collection varies, the recording of events in applications consistently plays a major role. Think of logging the identity of users and login attempts. Once the application processes an event, Log4j spins out data. The programmer of the application determines what the data is about. For example, username of the attempted Login or the time of the user login.

The susceptibility that Alibaba’s security team faltered upon stems from an interaction between the Java programming language and the Log4j library. Java, in combination with Log4j, is capable of executing code stored at a remote server. Programmers opt for the URL server choses. When executing the string in a Java application, the application will attempt to execute the data from the specified URL.

Log4j directly cannot hack the server. For example, user in the chat sends a sting in the chat message. The URL points to a server with instructions for executing a malware application. Log4j logs the string, Java deduces a command and executes it as told, and the user succeeds in hacking the server without having or obtaining the password.

Organizations which are at Risk by Log4j
Vulnerability is serious as exploiting it could allow hackers to control java abased web servers; in other words, one can say that vulnerability can lead to losing control of the system. The threat affects any Java application that logs a user’s input via Log4j. Such applications are extremely common. Apple iCloud is a prominent example. Log4j logs the names of iPhones somewhere in Apple’s iCloud. Changing an iPhone name to the aforementioned string proved more than enough to infiltrate iCloud’s servers. IBM 9.0 and 8.5 Web Sphere Application Server is affected by Log4j malware as well. Siemens’ various products have been impacted by this java programming. Many other organizations could also have drastic impact of this malware.

Vendors with popular products known to be still vulnerable including Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, Jet Brains, Nelson, Nutanix, Open MRS, Oracle, Red Hat, Splunk, Soft, and VMware. The list goes even longer when adding products where a patch has been released.

Furthermore, a significant amount of hosting services log browser names to determine the browser used by a connecting user. The popularity of Log4j is nearly impossible to measure, and it is estimated that the collection is found in the software of most business environments.

Every Log4j version which is published between September 13, 2013 and December 5, 2021 is susceptible. The Apache Software Foundation, developer of Log4j, has established an emergency patch to fix the vulnerability.

On a technical level, the vulnerability is as easy to solve as it is to exploit. A patch of the library is sufficient. The biggest problem is practical in nature. Log4j is used so frequently that organizations don’t know exactly where the library runs. Most global cyber security authorities recommend doing an inventory of applications that use Log4j. Afterwards, updating the application with the official patch is the advisable course. If the supplier of an application does not yet provide an updated version, disabling it is the sole safe option.

Solutions to overcome the Impact of Log4j
Cyber security leaders need to make identification and remediation of this vulnerability as an absolute and immediate priority. Starting with a detailed audit of every application, website and system within the domain of responsibility that is internet-connected or can be considered public-facing. This includes self-hosted installations of vendor products and cloud-based services. There is also a need to pay particular attention to systems that contain sensitive operational data, such as customer details and access credentials.

CISA’s advice is to identify internet-facing devices running Log4j and upgrade them to version 2.15.0, or to apply the mitigations provided by vendors immediately. But also recommends setting up alerts for examinations or attacks on devices running Log4j.

Log4j is a mutant of Log4Shell. There are 60 mutants of log4Shell. On the Log4Shell vulnerability, Jen Easterly, the director of the Cyber security and Infrastructure Security Agency (CISA), says that the agency is working with partners in the private and public sector to address the issue.

Furthermore, additional steps recommended by CISA are numbering any external facing devices with Log4j installed, ensuring the security operations center actions every alert with Log4j installed and installing a web application firewall (WAF) with rules to focus on Log4j.

AWS has updated WAF rule set to detect and mitigate Log4j attack attempts and scanning. It also has mitigation options that can be enabled for Cloud Front, Application Load Balancer, API Gateway, and App Sync. Foundation also currently updating all Amazon Open Search Service to the patched version of Log4j.

The Netherland's National Cyber Security Centrum (NCSC) has dispatched a comprehensive and sourced A to Z list on GitHub of all affected products it is aware are either vulnerable, not vulnerable, are under investigation, or where a fix is available. The list of products illustrates how extensive the vulnerability is, spanning cloud services, developer services, security devices, mapping services, and many more.

Meanwhile, cyber security researchers at Sophos have warned that they've detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days since it is publicly disclosed along with scans searching for the vulnerability.

Lotem Finkelstein, Director of threat intelligence and research for Check Point says, “I cannot overstate the seriousness of this threat. On the face of it, this is aimed at crypto miners but we believe this creates just the sort of background noise that serious threat actors will try to exploit in order to attack a whole range of high-value targets such as banks, state security and critical infrastructure."