LOG4J: The vulnerable bookstore that is shaking the planet

On December 9, 2021, a critical vulnerability, which affects the Java log4j logging package, was discovered.

This newly discovered cybersecurity flaw affects large areas of the internet, from Google and Amazon to the systems used to operate armies and hospitals. The US Department of Homeland Security's top cybersecurity official, Jen Easterly, called the breach the most serious vulnerability in decades.

Most hacking attempts using Log4j so far have involved attackers trying to install cryptocurrency "mining" software on victims' computers.

However, some hacker groups have also tried to use the vulnerability to break into government agencies and companies in other countries, according to cybersecurity firm Check Point.

Definitions

First of all, some definitions so as not to get lost in certain more technical words present in the rest of this article. 😄

Java is a computer technology initially developed by Sun Microsystems and then acquired by Oracle following the company's acquisition. Originally defined as a programming language, Java has evolved into a coherent set of technical and non-technical elements. Thus, Java technology includes:

  • Standards

  • Software

  • Business communities

Definition: WIKIPEDIA

First fruits

By now, most of you may have already heard about the Log4j security vulnerability (CVE-2021-44228), which has been called the “largest and most critical vulnerability in the last decade” , and may have worked to protect their organization from this vulnerability.

According to a TechSpot report, more than 840,000 attacks were launched within 72 hours of the vulnerability being disclosed and the number of attacks reached more than 100 per minute over the weekend.

This clearly shows why everyone is rushing to deploy the patch for the Log4J vulnerability.

And you are saying to yourself:

“That’s all well and good, but we don’t necessarily understand what this vulnerability consists of and why is it so dangerous?”

Absolutely and here we come, I will divide the article into two parts to better explain to you:

  • The LOG4J vulnerability for those who want to know but without going into details

  • The LOG4J vulnerability for those who want to know, understand and defeat the flaw (more technical and in-depth explanations)

LOG4J vulnerability: A little but not too much

I got the following question from a friend who knows nothing about computers:

Can you explain to me what happened to make all the companies so scared?

I tried by all means to find simple words to explain to him but to make someone non-technical understand a vulnerability linked to a JAVA library...

I sent him videos and tutorials but it was still too technical for him.

Fortunately, a former colleague ANDREA BARRACU was able to find the words to explain all this with a simple and effective example.

Screw story

One day, a super famous screw producer launched a new practical and effective range for all types of uses, and above all FREE! The screws and their instructions for use are therefore used by everyone: Large, medium and small businesses as well as DIY enthusiasts.

These screws were therefore everywhere: Doors, chairs, tables, locks, safes,... Since they were free, well made and apparently safe.

Everything was going well in the best of all possible worlds, until the day a man discovered a way to unscrew each screw without a screwdriver but remotely via a powerful magnet. He posted his discovery on Twitter and many people abused the flaw.

Remember that screws are everywhere and therefore anyone who understood how the magnet worked could force open any door that used those screws. Obviously some doors were more robust than others and resisted attacks but others succumbed very easily. The doors were not the only targets since the screws were also in the chests, chairs, drawers,...

Exploiting the flaw is so simple that now every attacker around the office could open all the doors and drawers without much effort.

This type of screw is used in a large number of places and infrastructure which makes the problem HUGE.

Overnight, many businesses were no longer safe. An army of DIYers set about fixing and replacing this brand of screw with a new one, trying to be faster than whoever might have tried to exploit the situation.

So panic begins because there are too many screws. There are those that are difficult to change because they have been in place forever and those that have been forgotten because they are lost between old and new screws.

Companies, often, have lost the details of the specific screw they used and so that is a problem too.

Some screws were also used in the load-bearing walls of buildings and are therefore untouchable at the risk of causing everything to collapse.

LOG4J and screws

In our story above, you have understood that the screws refer to the LOG4J library. Log4j is used by developers to keep track of what's happening in their software applications or online services. It's actually a huge log of a system or application's activity. This activity is called "logging" and is used by developers to keep tabs on user issues.

This bookseller was therefore available free of charge and used everywhere. This therefore makes the task complicated for all companies and users because it is necessary to find the places impacted by the flaw. The flaw is called LOG4SHELL (detailed explanation in the technical section) and therefore provides remote access to infrastructures.

The library's supplier, APACHE Foundation, released version 2.17.1 to patch the problem.

Computer science. Develop a software patch to remedy a malfunction.

Definition: CORDIAL.FR

Impact & Targets

The log4j security vulnerability allows attackers to remotely execute malicious code on a target computer. That is, bad actors (hackers) can easily steal data, install malware, or simply take control of a system over the Internet.

All systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.15 are impacted. This includes, among others, Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, Dell, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft and VMware.

You can view the full list of vulnerable software and their security status on the github of "Nationaal Cyber ​​Security Centrum (NCSC-NL)" or SwitHak.

Conclusion

In summary, the Log4j library is present in large numbers in company infrastructures and their ecosystems. This therefore makes the task very complicated because it is necessary to find all the places likely to use the libraries with a vulnerable version and to have the necessary tools to correct the errors.

For all involved, there is both a business and moral imperative to take immediate action to mitigate the vulnerability if it exists in public-facing systems. Naturally, no business wants its systems to be vulnerable to an attack that could result in data corruption or theft and the risk of serious business disruption.

Every organization should have a mitigation plan in case such a situation arises in the future. Whether it's shutting down the offending software or immediately patching it and testing the fix before putting it back into production, teams must be ready to respond proactively within hours or even minutes.

It's time to go make yourself a coffee and get started on the technical part!

Last updated