Log4Shell was first discovered on December 10th, 2021. Shortly after industry experts uncovered the critical Log4Shell vulnerability in servers supporting Minecraft, malicious actors initiated millions of exploit attempts targeting the Log4j 2 Java library, as reported by a team monitoring the situation. This vulnerability causes a significant threat to countless applications and devices worldwide.
Thankfully, Perforce static analysis and SAST tools such as Helix QAC and Klocwork offer assistance in addressing these concerns.
In this article, we try to dig deep into the Log4j vulnerability and provide you with an illustrative example. Later, we’ll also explore how you can prevent and detect this vulnerability.
What is Log4Shell?
Log4Shell, also recognized as the Log4j vulnerability, represents a remote code execution (RCE) flaw present in certain editions of the Apache Log4j 2 Java library. This vulnerability allows hackers to execute virtually any code they desire on compromised systems. It effectively grants them complete control over applications and devices.
Identified with the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44228, Log4Shell possesses a Common Vulnerability Scoring System (CVSS) score of 10. Its classification as one of the most dangerous vulnerabilities arises from its extensive reach and potentially catastrophic outcomes.
At the time of its discovery, Log4Shell was found to be vulnerable on about 10% of all digital assets, including servers, cloud services, and web apps. Exploiting Log4Shell offers hackers a myriad of possibilities, from data theft (data exfiltration) to ransomware installation and device hijacking for botnets, among others.
Log4Shell was initially discovered by cloud security researchers in November 2021. Apache promptly released a patch in December 2021, which ensures that all versions of Log4j from 2.17.1 onward are immune to Log4Shell and its associated vulnerabilities. Despite this, the Cybersecurity and Infrastructure Security Agency (CISA) underscores Log4Shell as one of the most frequently exploited vulnerabilities. Given Log4j’s widespread adoption in the software supply chain, the process of identifying and rectifying every vulnerable instance may extend over several years.
Examples of Log4Shell Attacks
Given Log4Shell’s capability to execute arbitrary code, cybercriminals have exploited this vulnerability to orchestrate various types of attacks. Notably, Log4Shell emerged as a zero-day vulnerability upon its discovery. It gives hackers an initial advantage in its exploitation.
Cybercriminals used cryptojackers, a type of malware intended to secretly mine Bitcoin on infected machines without the owner’s agreement, in one of the first Log4Shell assaults.
Multiple ransomware attacks have capitalized on Log4Shell, with notable examples including the Khonsari strain. It reproduced through the video game Minecraft, and NightSky, which specifically targeted systems operating VMware Horizon.
Moreover, access brokers have exploited Log4Shell to establish entry points within high-value corporate networks. This tactic often involves secretly deploying remote access Trojans (RATs) on compromised systems. Subsequently, access brokers vend these entry points to ransomware-as-a-service affiliates or other hackers within the dark web ecosystem.
Causes and Impacts
The root cause of the Log4Shell vulnerability was found in the Apache Log4j 2 Java library, which is extensively used for logging in a wide range of Java applications. The widespread adoption of Log4j, coupled with its integration into numerous systems and devices, contributed to the broad reach of Log4Shell.
Hackers exploit Log4Shell to execute various malicious activities, including data exfiltration, ransomware deployment, and the creation of botnets. Its impact extends across different sectors, from industrial automation systems to consumer-grade smart home devices.
Despite the release of patches by Apache in December 2021, Log4Shell remains a prevalent threat. It was evidenced by ongoing exploitation attempts and the widespread presence of vulnerable Log4j instances in the software supply chain.
Effects on Security World
Log4Shell has acted as a catalyst for various cyberattacks. It ranges from crypto-jacking schemes to advanced ransomware campaigns. Its zero-day status at the time of discovery enabled attackers to exploit the vulnerability before comprehensive mitigation measures were in place.
The seriousness of Log4Shell’s influence on internet-connected devices is shown by the simplicity of its exploitation and the fact that it is widely available across popular platforms and services. Attackers use Log4Shell to plan large-scale data breaches, steal credentials, and breach virtualized infrastructure.
Consumers are also at risk, particularly those utilizing network-enabled storage and smart home equipment reliant on the Log4j 2 library. The vulnerability necessitates proactive measures, including software updates and heightened awareness of potential data breaches.
How to Identify the Log4Shell Vulnerability
The primary step in identifying vulnerability to Log4j includes determining which applications within your organization incorporate the Log4j component. It evaluates their usage of Log4j and reduces the vulnerability by updating the Log4j version within the application.
However, many organizations also depend on third-party Java-based software applications, including native desktop, web, mobile, and cloud applications in their daily operations—any of which may have the Log4Shell vulnerability.
Detection of organizational vulnerability hinges on looking at all internally developed and third-party applications to confirm that they have been patched against Log4Shell. The operational integrity of an organization may be indirectly affected if a partner organization experiences compromise.
Numerous major industrial and consumer firms have initiated internal investigations to ascertain the reliance of their supply chain on Log4j, urging partners and vendors to promptly patch their software products. Determining exposure necessitates assessing whether any applications throughout the entire supply chain are affected.
Log4Shell: IT Security Action Plan
Organizations utilizing Log4j 2 within their applications and infrastructure should promptly update them, including third-party applications. The release of version 2.17.0 provides comprehensive security against the Log4Shell vulnerability.
Due to Log4Shell’s pervasive impact and ease of exploitation, organizations must take swift action to safeguard their systems. To expedite the identification of affected systems, organizations require a solution such as Dynatrace Application Security, capable of promptly and automatically detecting vulnerable systems and their dependencies. This facilitates the prioritization of critical systems for immediate updates, particularly in production environments.
Conclusion
The Log4Shell vulnerability represents a critical challenge to cybersecurity. It necessitates concerted efforts from organizations and individuals to reduce its impact. As cyber threats evolve, proactive measures such as regular software updates and vulnerability assessments are crucial in safeguarding digital assets against exploitation.
While Log4Shell poses significant risks to the security landscape, promoting a culture of cybersecurity awareness and resilience within an organization is crucial. By doing this, anyone can collectively address emerging threats and boost defences against future vulnerabilities.