The recent uncovering of the Log4Shell bug, tied to the ubiquitous log4j module, has swept through private and public organizations reliant on IT logging technology. A relatively simple bug, the implications of its widespread use means that remediation will be a long, complex endeavor. While the potential millions of implementations wait for updates, however, the complex infrastructure of national IT is vulnerable to attack.
Read more about this bug and its potential threat to organizations across the world.
What is Apache Log4j?
The Apache Software Foundation is a long-running non-profit consortium of communities to promote transparent, open-source development. Some of their more notable and far-reaching software projects include the Apache web server (or the “Apache” of the LAMP web server stack), the distributed Hadoop data processing environment, the IoTDB platform for the Internet of Things devices and dozens of other products and services.
One umbrella category of services is the Apache Logging Services, a set of software and programs targeting event and system logging and log audits for Linux and Windows systems.
Audit and event logging are essential parts of almost every IT system. Most cybersecurity regulations and compliance frameworks include some sort of logging requirement, and software developers rely on logging frameworks during the development, debugging and continued maintenance of their code. Even operating systems utilize some form of logging to help users and experts complete forensic investigations after a system failure.
Logging is perhaps most important in large, multi-user systems where Personal Identifiable Information (PII), Personal Health Information (PHI) or any controlled data like Controlled Unclassified Information (CUI). Large IT infrastructure for companies in industries like healthcare, finance and even game development can hold a treasure trove of sensitive information, including financial records, address locations, email addresses or any other conceivable piece of data.
Logging systems allow administrators and system utilities to track user behavior or system events if an attacker breaches that system. Most compliance frameworks require audit logging for two primary reasons: to help provide information to prevent attacks and to provide forensic evidence post-attack to support prosecution, remediation and security gap analysis.
Log4j is a Java-based implementation of an Apache logging framework. While the technical details of this utility are beyond the scope of this article, it bears mentioning that log4j is a powerful and efficient logging utility that can plug into several web servers and frameworks. It is free and open-source, lightweight and customizable based on the organization’s needs.
Because of these advantages, many platforms, web servers and other packages (especially those using Java runtimes) implement some form of Log4j.
What is the Log4Shell Bug?
Log4Shell (technical reference CVE-2021-44228) is a zero-day vulnerability that allows arbitrary code execution in affected systems. It was privately reported to the Apache Software Foundation by Alibaba’s Cloud Security Team in instances of the game Minecraft and subsequently announced in a tweet that included sample code.
How does the Log4Shell bug work?
- It is a zero-day vulnerability, meaning that it has just recently been discovered and reported to the responsible party. This means that any systems utilizing log4j are vulnerable to attacks targeting the bug.
- It allows arbitrary code injection, meaning that an attacker exploiting the bug can inject and execute code on a target machine, also known as remote code execution (RCE).
- It leverages the log4j module’s willingness to accept requests from Java Naming and Directory Interface (JNDI) and Lightweight Directory Access (LDAP) servers. The former allows a program to look up and locate data for Java objects at runtime. In contrast, the latter allows remote users to look up and access limited directories on a system.
- It allows attackers to use this bug to send JNDI requests through LDAP as a URL, meaning that they can force the system to pull up Java data objects and execute code through the logging mechanisms.
- It also allows access to private Java runtime information–including a secret environment variable–even if the request is denied.
A fix was released on December 6, 2021, and newer versions of the Java Runtime Environment mitigate the issue by blocking remote code execution (although older versions of the JRE may be vulnerable).
However, some organizations have claimed that attacks have already happened, and that knowledge of the bug may have been in the wild since as early as December 1, 2021. This fact provides a problem because the actual attacks exploiting this vulnerability are trivial.
Why Does Log4Shell Have Everyone So Worried?
The rapid response to the bug and its impact might make one think that the issue has been settled. However, major signals from companies like Google, Apple, and Cloudflare raise worries. Joe Sullivan, CSO for Cloudflare, points out that millions of servers have this technology installed. Amit Yoran, CEO of cybersecurity with Tenable, calls the bug the most significant vulnerability of the last decade, if not the history of computing.
But why? The flexibility of most server deployments is that they leverage open software from organizations like the ASF. Furthermore, many third-party products include log4j as part of their code. This is why the utility is found in such disparate places as Google, Netflix, Tesla, IBM, Alibaba and Minecraft servers.
With this kind of pervasive coverage, the internet cybersecurity ecosystem relies heavily on the persistence of these smaller developers and vendors in patching the issue. While companies like Amazon and Apple can roll out patches rather quickly, smaller businesses may be tempted to avoid the problem altogether or ignore it if they don’t necessarily understand the implications.
This, of course, leads to disaster. Vulnerabilities like these give attackers unfettered access to critical system functionality. In essence, once an attacker gets into a system through this method, that system is owned by the attacker… and so, potentially, is every attached system. In a modern IT system with thousands of components across hundreds of products, services, and vendors, these threats are tremendously problematic.
Compliance, Security and Auditing With the Experts at Lazarus Alliance
Bugs like the Log4Shell expose many organizations’ dangers when they aren’t prepared to address fundamental and ever-changing security threats. Lazarus Alliance can support your cybersecurity goals and compliance demands with a combination of expertise, automation and attention to critical detail. We make seemingly-overwhelming problems and make them more than manageable.
Want to Kick-start Your Cybersecurity Audits?
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.