BUSINESS NEEDS

Log4Shell

One out of ten systems might be affected by the critical Log4Shell vulnerability found in the Log4j version 2. The Log4shell vulnerability could be used to initiate a ransomware attack.

1/10 systems affected

The Log4j vulnerability is affecting as much as one out of ten systems.

1800+ dependencies

According to GitHub over 1800 repositories have a dependency on Log4j.

CVSS score 10

RCE vulnerability with the highest possible severity based on CVSS.

Ransomware related

Can be used in ransomware attacks, crypto mining, botnets, and data extraction.

A vulnerability of extreme magnitude

Log4Shell is a software vulnerability in Apache Log4j version 2. This vulnerability looks like hundreds of other vulnerabilities out there – but with some significant differences. This vulnerability might impact as much as one out of ten systems. Considering that this vulnerability can be exploited remotely, in combination with the number of affected systems, it’s without a question one of the most serious, if not the most serious, vulnerability we have seen in recent years. Accordingly, it requires every organization to take action proactively.

What is Log4j?

Log4j is a popular open-source Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a system on the internet if the device is running specific versions of Log4j 2. The actual vulnerability is called Log4Shell.

As the most widely used logging framework on the internet, organizations across the industry have integrated Apache Log4j 2 into thousands of applications. This includes major cloud services such as Apple, Google, Microsoft, Cloudflare, and platforms like Twitter and Stream.

It logs messages from software and searches for errors. The data range is broad, from basic browser and web page information to technical details about the system.

Not only can the Log4j 2 library create simple logs, but it can also execute commands to generate advanced logging information. In doing so, it can also communicate with other sources, such as internal directory services.

CVE & patch history

Date: CVE: Description:
December 6, 2021 CVE-2021-44228 Apache issued a patch for CVE-2021-44228, version 2.15, on December 6, 2021.
December 13, 2021 CVE-2021-45046 This patch left part of the vulnerability unfixed, resulting in another CVE-2021-45046.
December 13, 2021   Apache released a second patch on December 13, version 2.16.
December 17, 2021 CVE-2021-45105 Apache released a third patch, version 2.17, on December 17 to fix another related vulnerability, CVE-2021-45105.
December 28, 2021 CVE-2021-44832 Apache also released a fourth patch, 2.17.1, on December 28 to address another vulnerability, CVE-2021-44832.

 

How Log4Shell is exploited

Log4Shell is an RCE (Remote Code Execution), meaning that anyone with access from the outside can exploit the vulnerability. In this case, they are using text messages to take control of the system. The Apache Software Foundation, which publishes the Log4j 2 library, gave the vulnerability a CVSS score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious cybercriminals can exploit it. While mitigation evolves and the damage unfolds, the fundamentals of the Log4Shell vulnerability won’t change.

When was the vulnerability discovered?

A security researcher at Alibaba first reported the vulnerability to the Apache Foundation on November 24. They discovered the attack December 9 on servers that host the game Minecraft. After further forensic analysis, they realized cybercriminals discovered the gap earlier and have exploited it since at least December 1, 2021.

RECORDED WEBINAR

How to detect & remediate the Log4j (Log4Shell) vulnerability

Watch this recorded webinar, featuring our CTO, Erik Torlén, and Mihail Lupan, Lead Security Engineer, to learn more about how organizations are affected by the Log4j vulnerability and how you can detect and remediate it.

Watch the webinar to learn:

  • About the Log4j vulnerability and how it impacts your organization
  • How to find this vulnerability using Holm Security VMP
  • Demonstration in Security Center
  • Q&A session

What’s the risk from the Log4Shell vulnerability?

Log4Shell is a zero-day vulnerability because cybercriminals likely knew about the exploit before experts did. What makes Log4Shell so dangerous is how vastly spread the Log4j 2 library is. It’s present in major platforms from vendors like AWS (Amazon Web Services) to VMware and software services large and small. The web of dependencies among affected platforms and services means patching can be a complex and possibly time-consuming process – and in many cases, not possible within a reasonable timeframe.

The ease of exploiting the vulnerability compounds its impact. The Log4j 2 library controls how applications log strings of code and information. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control. Cybercriminals can remotely take over any internet-connected service that uses certain versions of the Log4j library anywhere in the software stack.

How does the Log4Shell vulnerability cause damage?

Because the Log4j 2 library can communicate with other sources and internal directory services, cybercriminals can easily feed Log4j 2 with malicious commands from the outside and make it download and execute dangerous code from malicious sources.

How cybercriminals can exploit Log4j 2 depends on the specifics of the affected system. So far, the vast majority of malicious activity has been mass scanning to fingerprint vulnerable systems. Cybercriminals have exploited the vulnerability to compromise virtualization infrastructure, install and execute ransomware, steal system credentials, take broad control of compromised networks, and exfiltrate data.

What are the vulnerabilities published so far?

CVE has published three vulnerabilities related to Log4Shell. To ensure systems that use Log4j 2 are protected against these vulnerabilities, IT teams should apply the latest patch, Log4j 2.17.0, for Java 8 and up.

Vulnerability: Description: Patches:
CVE-2021-45105 (latest) Left the door open for an attacker to initiate a denial-of-service attack by causing an infinite recursion loop on self-referential lookups. Log4j 2.17.0 for Java 8 and up. This is the latest patch.
CVE-2021-45046 (second) Could allow cybercriminals to craft malicious input data that could cause an information leak or remote code execution. Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.
CVE-2021-44228 (original) Possible for an attacker to execute random code using the message lookup functionality. Log4j 2.12.2 and Log4j 2.16.0.

 

What vendors are affected?

A vast number of software vendors are impacted. Cisco alone has hundreds of impacted software and systems. Here are some of the vendors with affected software applications:

 

Adobe
Amazon
Atlassian
AWS
Broadcom
Cisco
Citric
ConnectWise
cPanel
Debian
Docker
FortiGuard
F-Secure
Ghindra
IBM
Juniper Networks
McAfee
MongoDB
Okta
Oracle
OWASP Foundation
Red Hat
Siemens
SolarWinds
SonarSource
SonicWall
Sophos
Splunk
TrendMicro
VMWare
Ubiquiti
Ubuntu
Zoho
Zscaler

 

What should cyber security teams do about this vulnerability?

If your application uses Log4j

Organizations that use Log4j 2 in their applications and infrastructure should update them immediately. The same applies to third-party applications. The version 2.17.0 release fully secures the library against the Log4Shell vulnerability.

If you use affected systems

Because Log4Shell affects so many systems and is easy to exploit, you need to act as soon as possible, especially when it comes to systems that are exposed out on the internet.

In environments with hundreds or thousands of systems, the first step is to identify which systems are impacted. This can be done using our vulnerability management platform. Then, if possible, patch the system. If patching is not an option, make sure the system is isolated so unauthorized users can't reach it.

Vulnerability management solution

Holm Security VMP

Holm Security VMP is a modern vulnerability management solution delivering unparalleled 360-degree coverage and comprehensive insight. Detect vulnerabilities, assess risk, and prioritize remediation for every asset in your entire infrastructure.

Detect and remediate the Log4j vulnerability