Recent news in the cybersecurity world, and in turn the larger IT sphere, has been centered around the Log4Shell vulnerability (CVE-2021-44228). Many security professionals are considering this to be one of the worst exploitable vulnerabilities ever seen. While news about this vulnerability is rapidly changing, it may be beneficial to gain the basic understanding of just what it is.
Early in December 2021, numerous cybersecurity researchers began sounding the alarm about a vulnerability that would later be classified as critical. This vulnerability turned out to be a zero-day exploit in the Java logging library Apache Log4j. Java as a whole has been an insecure programming language for years now, and this is just the latest problem.
The zero-day had been actively exploited even before researchers were aware of it. According to Bleeping Computer, threat actors are exploiting CVE-2021-44228 to install ransomware, commit denial-of-service attacks, form botnets, and create Cobalt Strike beacons.
According to CVE, Log4jShell is characterized by the following:
“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Log4Shell is a major issue as many global corporations rely on the Apache Log4j logging library. Affected entities include Amazon AWS, Cloudflare, Steam, and many more. While Apache has released patches for the vulnerability, each patch has been incomplete as new issues continue to arise. Effectively the entire IT world is in a race against time to plug leaks that spring faster than can be dealt with. Patching Log4Shell will be a near-insurmountable task, but it must be done.
In a blog post about Log4Shell, Sophos’ Paul Ducklin gives arguably the most logical mitigation strategy that can be followed at this point. While the whole post is worth a read due to its succinct explanation of Log4Shell, the strategies to protect against it deserve special attention. In short, Ducklin states that IT teams must:
- Patch to the latest Apache Log version (2.16.0 is the most current as of this article’s writing).
- Immediately cease using Log4j 1.x as it is unsupported and also has a similar bug like Log4Shell. Lack of support equals never seeing a patch, leaving you open to permanent exploitation.
- If you are unable to update at this time, block JNDI “from making requests to untrusted servers.”
With this bug occurring during the holiday season, one could really call Log4Shell the perfect storm. Cybersecurity professionals are already on high alert due to the increase in cybercrime at this time of year. Log4Shell just kicked everything into overdrive, and truly will make this 2021 season one to remember for all the wrong reasons.
Featured image: Wikimedia Commons/Lizzethecopro