Log4j, a Java package for logging error messages in applications, is already used by many systems. However, a vulnerability recently disclosed by Apache might allow hackers to have unrestricted access to machines all across the world.
Cybercriminals are already trying to exploit this flaw, putting all kinds of online applications, open-source software, cloud platforms, and email services at risk.
What is Log4j?
Inserting log statements into code is a reliable way for debugging software during its development lifecycle. Log4j is a Java logging package that is both dependable and configurable.
It was created and maintained by the open-source Apache Software Foundation, can run on all major platforms, including Windows, Linux, and Apple’s macOS.
Log4j Vulnerability
The Log4j vulnerability can expose systems that use Log4j to outside incursions, making it easier for threat actors to infiltrate and gain privileged access.
This vulnerability had always existed and had gone unnoticed until it was discovered in 2020. However, Apache has now formally revealed this vulnerability within the Log4j module, which was discovered by a LunaSec researcher in Microsoft’s Minecraft.
Since then, other attackers have inevitably begun to exploit it, quickly turning this previously neglected (or so it appears) weakness into something more dangerous.
What happened?
Organizations worldwide are concerned about multiple issues in the Log4J library, which threat actors are already exploiting. 2.17 is the third update in less than a week.
While experts warn that threat actors are actively attempting to attack a second weakness in the Log4j library, CVE-2021-45046, a third security issue reached the news.
The problems with Log4j grew worse as the Apache Software Foundation (ASF) released yet another patch — version 2.17.0 — for the widely used logging library that may be used to stage a denial-of-service (DoS) attack by hostile actors.
The new vulnerability, identified as CVE-2021-45105 (CVSS score: 7.5), affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit released earlier this week to address a second flaw that could lead to remote code execution (CVE-2021-45046), caused by an “incomplete” fix for CVE-2021-44228, also known as the Log4Shell vulnerability.
In a revised alert, the ASF said that “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not defend against uncontrolled recursion from self-referential lookups.” “When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $$ctx:loginId), attackers with control over Thread Context Map (MDC) input data can craft malicious input data with a recursive lookup. Resulting in a StackOverflowError that will terminate the process.”
They went on to say that Hideki Okamoto of Akamai Technologies and an unknown vulnerability researcher discovered the latest flaw.
The project maintainers also said that Log4j versions 1.x are no longer supported. Any security problems discovered in the tool after August 2015 will not be addressed, pushing users to switch to Log4j 2 to acquire the most recent fixes.
What does CISA have to say about it?
The updates come as the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal civilian departments and agencies to patch their internet-facing systems for the Apache Log4j vulnerabilities by December 23, 2021, citing that the flaws pose an “unacceptable risk.”
The news comes as the Log4j weaknesses have emerged as an attack vector and a focus point for many threat actors, including state-sponsored hackers from China, Iran, North Korea, Turkey, also the Conti ransomware group, to carry out a variety of follow-on malicious actions. It is the first time a sophisticated crimeware cartel has been alerted to the vulnerability.
Rogue Logics provides in-depth security services for the assessment and protection of your application, data, and infrastructure against potential threats on-prem or in the cloud.
Want a consultation with the professionals at Rogue Logics? contact us and get a free quote.