Researchers uncovered a critical vulnerability in the Apache Log4j library, which achieves a perfect 10 out of 10 in CVSS. Here’s how to guard.
Various data security news outlets informed on the discovery of critical vulnerability CVE-2021-44228 in the Apache Log4j library. Millions of Java applications use this library to log mistake notifications. To make matters worse, hackers are already vigorously manipulating this vulnerability. For this cause, the Apache Foundation advises all developers to update the library to version 2.15.0, and if this is not potential, use one of the techniques described on the Apache Log4j Security Vulnerabilities page.
Why CVE-2021-44228 is so dangerous?
CVE-2021-44228, also called Log4Shell or LogJam, is a Remote Code Execution (RCE) class exposure. If attackers work to manipulate it on one of the servers, they acquire the capability to run arbitrary code and potentially take full authority of the system.
What creates CVE-2021-44228 extremely dangerous is the ease of exploitation, even an amateur hacker can successfully perform an attack using this vulnerability. According to the researchers, hackers only need to force the application to write just one string to the log, and after that, they are capable of uploading their own code into the application due to the message lookup substitution process.
Working Proofs of Concept (PoC) for the aggression via CVE-2021-44228 are already known on the Internet. Therefore, it’s not unexpected that cybersecurity organizations are already reporting massive network scans for vulnerable applications as well as attacks on honeypots. This vulnerability was found by Chen Zhaojun of the Alibaba Cloud Security Team.
What is Apache Log4J and why is this library so famous?
Apache Log4j is a portion of the Apache Logging Project. By and large, usage of this library is one of the most comfortable ways to log errors, and that is why most Java developers use it.
Many extensive software companies and online services use the Log4j library, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and numerous more. Because the library is so prevalent, some data security researchers expect significant growth of the hacks on weak servers over the following few days.
Which versions of the Log4j library are vulnerable and how to rescue your server from attacks?
Almost all versions of Log4j are vulnerable, beginning from 2.0-beta9 to 2.14.1.
The easiest and most adequate protection method is to install the most recent version of the library, 2.15.0.
If for some cause updating the library is not feasible, Apache Foundation suggests using one of the mitigation techniques. In the case of Log4J versions from 2.10 to 2.14.1, they recommend setting the log4j2.formatMsgNoLookups system belongings, or setting the LOG4J_FORMAT_MSG_NO_LOOKUPS background variable to true.
To secure earlier releases of Log4j, the library developers suggests deleting the JndiLookup class from the classpath: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.
In addition, we suggest installing security solutions on your servers — in many cases, this will let you see the launch of vicious code and stop the attack’s development.
If you have any doubt about the Apache Log4j library and its vulnerability. Don’t hesitate to contact us through the given email. Airzero Sec will be your digital partner.
Author - Johnson Augustine
Cloud Architect, Ethical hacker
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/