If you have not heard of the Log4j software vulnerability, this article provides a brief background on what the Log4j software is, what it does, and how it can be exploited by hackers. It also includes an urgent warning issued by the US government’s cybersecurity agency regarding the flaw in the software.
What is the Log4j Software?
The Log4j software is a widely used logging solution developed by Apache Software Foundation that runs on Java platforms like the Tomcat web server. It allows java developers to write log messages in a structured format that can be automatically parsed into reports by tools.
A vulnerability in the Log4j software
The United States Computer Emergency Readiness Team (US-CERT) recently released an urgent warning about vulnerabilities in the Log4j software. The vulnerability is found in the application’s ability to parse Java URL’s and can lead to remote code execution. This vulnerability poses a grave risk to computer systems and networks worldwide.
Log4J is being used by services like Apple iCloud, online game Minecraft and popular gaming service Steam, the vulnerability is thus one of the most dangerous ones found in recent years.
The security risk linked to Log4j has been called as ‘CVE-2021-44228’ or ‘LogJam’ or ‘Log4Shell’.
The vulnerability is ranked as one of the most severe security risks on the internet as of today, because it impacts all versions of Log4j, including version 2.14.1 to Log4j version 2.0-beta-9.
This Log4j vulnerability affects everything from web applications to enterprise software and popular consumer products. In a simple word, if an organization is using the Apache Log4j framework (including Apache Solr, Apache Struts2, Apache Druid, Apache Flink, etc.) then they are vulnerable to CVE-2021-44228.
What can hackers do with this information?
The US government’s cybersecurity agency, known as the National Security Agency (NSA) has released an urgent warning about a software vulnerability discovered in Log4j. This is a Java-based logging framework that is widely used by developers. The issue identified is that there was no fix to the flaw, so hackers were able to inject malware into any application that makes use of Log4j and then gain access to sensitive information.
Steps to take after a vulnerability has been found
The US Government’s Cybersecurity Agency, the National Cybersecurity and Communications Integration Center (NCCIC), has issued an urgent warning about a vulnerability in the Log4j project. It has been discovered that the Log4j library contains an exploitable security flaw; it is therefore important to take steps to remediate these vulnerabilities as soon as possible. After a log file is created, the vulnerable file can be found in a specific location. It is recommended that users implement logging methods that do not use the Log4j library.
The Apache Logging Services blog advises that the vulnerability was discovered by Chen Zhaojun of the Alibaba Cloud Security Team. According to Common Vulnerability Scoring System, or CVSS, Apache team has ranked this vulnerability as 10, which is rated as a “Critical” vulnerability.
The report by Sophos states this vulnerability as an “uncomplicated, reliable, by-design remote code execution (RCE), which is triggered by nothing other than the user-supplied data. Ironically, this data may be getting logged for auditing or security purposes.” It is also discussed that the Log4Shell exploits Lightweight Directory Access Protocol (LDAP), which is a software protocol which allows anyone to locate data about resources like devices and files within a network, which could be on a corporate Intranet or on Internet.
According to Ziv Mador, Chief Software Architect at Slack, security risks “could potentially be exploited by a remote attacker.” The attacker can get Log4j to execute arbitrary code on a system. It is even possible for worms to exploit vulnerabilities automatically, which has led Ziv’s team to work on improving security. The attacker can get Log4j to execute arbitrary code on a system. Such vulnerabilities can even be exploited automatically by worms.
Apache states that the Network Device Interface (NDI features) used in “configuration, log messages, and parameters” do not protect against attackers in this case. “It warns that an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers,” which is possible when message lookup substitution is enabled.
The issue has notably been fixed with Log4j 2.15.0, the latest version of the Log4j library, as log4j 2.15.0 comes with message lookup substitution disabled by default. It is thus suggested for all IT teams to find all codes in their network which are written in Java and check whether they use the Log4j library. Out-of-date Log4j versions should be updated as soon as possible.
The US government’s cybersecurity agency issued an urgent warning about the flaw
The vulnerability has been discovered in Log4j, a widely-used software library used to build logging services. The vulnerability would allow an attacker to launch a remote code execution attack against the application without authentication. This kind of attack could be used as an exfiltration tool with devastating consequences.
Major tech companies rush to fix Log4j software
The US government’s cybersecurity agency has released a warning to major technology companies after discovering a vulnerability in their software that could have allowed hackers to take control of your computer.
This vulnerability — discovered by the Department of Homeland Security and the National Cybersecurity and Communications Integration Center — was found in Log4j, an open-source logging tool used by Microsoft, Oracle, and other major companies as well.
The US Department of Homeland Security and its cybersecurity agency issued a warning to all companies that use Log4j software. In their cautionary statement, they said that anyone using these products should isolate themselves from the web until they have updated to the fixed version immediately.
In this urgent warning, cyber security experts in America urge companies to take preemptive action now before hackers gain access to your systems. IBM and Microsoft have released patches for their products after the US government’s cybersecurity agency, the National Cybersecurity and Communications Integration Center (NCCIC), noted a vulnerability in the software.
The agency says that cybercriminals can take advantage of an unpatched log4j software to gain complete control over a device. The NCCIC notes that the US federal government has applied this software widely across many systems, highlighting how insecure it is.
After the recent Log4j software vulnerability, US government cybersecurity agency officials issued an urgent warning to organizations and individuals. The agency staff stated that they believe that “the current threat landscape has shifted significantly and is more focused on insider threats,” making this information timely and applicable.