On December 9, Apache Log4j developers disclosed CVE-2021-44228, a critical flaw in the widely used Java logging library allowing hackers to gain complete control over affected servers by using a remote code execution. First discovered by a researcher working for the Chinese tech firm Alibaba, which privately informed the Apache Software Foundation, this vulnerability spilled into the public view when the popular sandbox game Minecraft published a blog post announcing the flaw. The ease with which hackers can use this exploit and the near-ubiquitous use of the Log4j framework combine to make this "one of the worst exploitable vulnerabilities ever seen," according to TechGenix. Since its discovery, the Apache Software Foundation has released a security patch that disables the bug, but the cyberattacks are just beginning.
What is Log4j?
Distributed freely by the nonprofit Apache Software Foundation, Log4j is an open-source Java logging library widely used by other frameworks. Log4j allows software developers to record and log user activity and the behavior of applications. As a foundational tool for many popular websites, applications and online services, it may come as a surprise that Log4J relies on a small group of Apache volunteers for maintenance. In recent days, these volunteer developers have worked around the clock to release security patches and updates for the software to mitigate further exploitation. However, the patches Apache has released remain incomplete as new issues surface, effectively forcing the cybersecurity world into a race against attackers.
The Log4Shell vulnerability
Log4Shell is the unofficial name given to the CVE-2021-44228 bug, as it affects the Log4j Java code library and, if successfully executed, provides attackers with a 'shell,' enabling them to run any system code of their choosing. Given the ease and impact of the exploit, the wide use of Java libraries and the challenges of remediation, Apache assigned the Log4Shell flaw a severity score of 10 out of a possible 10. The vulnerability allows hackers to inject text or log message parameters into server logs which then loads code from a remote server. These targeted servers then execute the code without the need for authentication, allowing an attacker to gain full server control.
How are cybercriminals using this exploit?
Since the public announcement of Log4Shell, hackers have been quick to exploit the vulnerability across a variety of organizations. Bitdefender, a cybersecurity company, has detected numerous attacks on their honeypots as well as real-world attacks on their endpoint protection machines. After gaining access to servers, cybercriminals have primarily leveraged this vulnerability to hijack computing power for malicious cryptomining operations performed without the knowledge or consent of the owner, otherwise known as cryptojacking. But the damage doesn't stop there. Cybercriminals are also penetrating vital networks to auction off access through the dark web and targeting vulnerable machines to create armies of digital 'zombie' devices called botnets.
Who is at risk of attack?
The impact of this exploit has been widespread as countless programs rely on Java logging libraries, software written in Java or other Java components and development frameworks. This complex ecosystem of dependencies makes assessing the attack surface a monumental task. Cloud services like Amazon, Apple, Cloudfare, Steam and Twitter are just a few major examples of vulnerable companies, but this list is still growing as attacks continue. The prevalence of Java-based applications also means organizations face third-party risks from vendor applications using the logging library. Despite the recent patches released by Apache, the remediation process for organizations is expected to take months, if not years, to fully secure, according to The Wall Street Journal. As the U.S. Cybersecurity and Infrastructure Security Agency put it, "this vulnerability poses a severe risk," and potential impacts will only be minimized through "collaborative efforts between government and the private sector."
What can you do about it?
To mitigate the damage of the Log4Shell exploit, security experts advise updating affected devices to the latest version of Java. The Apache Software Foundation has also published a security advisory with further details on the vulnerabilities of the now unsupported Log4j version 2.14.1. The latest Log4j update, version 2.16.0, disables these initial exploitations by preventing remote class logging via the Java Naming and Directory Interface (JNDI). While access to JNDI is disabled by default in newer versions, users are still advised not to enable JNDI in the latest update. If you're unable to update but you're still using Log4j version 2.10.0 or later, it's recommended that you block JNDI from making requests to unauthorized servers.
It's clear that this latest and severe Java vulnerability will have a long-lasting impact on the world of cybersecurity. While open-source coding tools are vital to the continued evolution of technology, it's evident that these frameworks come with security risks. Terminal emulation programming eliminates reliance on Java code to keep your organization safe from data breaches and cyberattacks. That's where Inventu comes in.