After several high-profile incidents in 2021, yet another software vulnerability has been brought to light just a few weeks before the end of the year. And not only is this the worst one yet, but it could have ramifications that stretch far into the future.
Below, we examine the Log4j security flaw, including what the issue is and what you should know right away.
What Is Log4j?
Log4j is the name of a logging library that’s free and open source. Logging libraries allow programmers to record details about how programs run, which helps them improve code, investigate bugs, and generally make sure that everything is working properly.
This particular library is published by The Apache Software Foundation, a nonprofit company that supports many such projects. It’s a well-respected tool, and since it’s free, a huge number of companies integrate it into their systems. Any sort of firm, from a small business to a mega-corporation, could rely on it in their software.
The Log4Shell Vulnerability
On December 9, 2021, a zero-day security problem was announced in Log4j. This bug (dubbed Log4Shell) allows attackers to run whatever scripts they want on a remote server, which could have devastating consequences.
To take advantage of this error, an attacker can search for a specific string of text on a website. Using this allows them to place whatever text they want onto the web server’s logs, allowing them to carry out a variety of attacks.
NIST has cataloged the vulnerability as CVE-2021-44228. Its threat level is a 10/10, due to the ease of any attacker exploiting this flaw and the fact that it doesn’t require any input from the user of an affected device.
The Far-Reaching Effects of Log4Shell
So far, security analysts have seen hundreds of thousands of attack attempts since this went public. Some attacks involve installing crypto mining software or setting up botnets using this exploit. In some situations, attackers dropped Cobalt Strike beacons on affected servers.
Hard to overstate the severity of the Apache Log4j vulnerability being exploited across critical and industry systems as we speak.
CISA Director @CISAJen “one of the most serious I’ve seen in my entire career, if not the most serious.”
— Nicole Perlroth (@nicoleperlroth) December 14, 2021
Cobalt Strike is a penetration testing tool that normally lets companies simulate what a malicious actor could do with access to their devices. However, criminals have used compromised versions of this tool before to set up ransomware attacks.
This highlights the long-term nature of this exploit. Cybercriminals could use this vulnerability to install monitoring software on a server, then play a long reconnaissance game to monitor systems, gather private information, and plan a deeper attack.
The combination of Log4j’s popularity and the ease of attack with this vulnerability makes it a massive problem. Some of the biggest tech companies in the world, like Apple, Amazon, Cloudflare, and Cisco, are affected. Since Amazon’s web services power millions of websites around the world, the attack surface is enormous.
Thankfully, Apache has issued a Log4j patch that fixes this security flaw. In Log4j 2.12.2, the affected feature is disabled by default. Starting with version 2.16.0, the feature is removed entirely.
Major companies should have this installed across the board before long; the long-lasting effects will come from the other devices affected by this vulnerability that aren’t patched right away. It’s common to see malicious actors pull off attacks using flaws that are a few years old, simply because people don’t take the time to install updates.
Jen Easterly, the director of the CISA, said the following on a call with CNN:
“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious . . . . We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents.”
The government has added this flaw to its list of known exploited vulnerabilities, and urgently advises all businesses that work with the government to patch it immediately.
If you use the Log4j library on any of your company’s devices, you should follow the instructions on Apache’s page linked above immediately. Otherwise, all we can really do is hope that big companies install the patches to remedy the problem to minimize the attack surface as quickly as possible.
2021: The Year of Security Flaws
2021 has been a rough year; aside from this huge exploit, we also saw the fallout from the SolarWinds hack and the Colonial Pipeline ransomware attack. The full consequences of this issue will likely not be known for some time. It’s vital to update as many affected devices as possible, as quickly as possible, to prevent this exploit from running on them.
While we’re thinking about updates, you should know how to keep everything updated on Windows 10 for your own computer.