What Is Log4shell And How To Protect Against This Vulnerability
The Log4Shell vulnerability is a vulnerability classified as critical (10) that affects the Java Log4J library in version 2 (we will explain what it is later), included in Apache, and that allows what is known as remote code execution. Being very critical, it is recommended to apply the patch that corrects it as soon as possible to protect yourself from the Log4Shell vulnerability.
Table of Contents
What Is Log4J?
Log4J is a very common log system used by Web developers, Java-based applications and also by other programming languages, who use this component to record / log information about the application.
Where Is Log4J In Our Environment?
As we will see, it is not only used on servers, it is also used in applications and even mobile applications, as well as in numerous cloud services. Therefore, it is a vulnerability that potentially affects many users.
Although we have the servers properly patched, no one can assure us that tomorrow we will download a PDF and through this PDF viewer they can inject code into us. If we have an application that uses this event logging mechanism, it is vulnerable. And it can be as seemingly innocent an application as a PDF viewer.
What Is Log4Shell?
It is the name given to the vulnerability that has arisen as a result of a publication of what is known as a 0-day (zero day). A 0-day is a vulnerability that is not known and that does not have a patch to solve it. The vulnerability has been published as a proof of concept , meaning that publishing it has shown how the exploit that takes advantage of it works. And this means that from the first minute anyone who has seen the publication can exploit it. Of course, including cybercriminals, who have already started looking for possible targets or victims.
How Does The Log4Shell Vulnerability Work?
This vulnerability makes it possible for any attacker to insert text into the log messages stored by the application. So far it would not be a problem, but it happens that Log4J has functionalities that allow certain actions such as searches or changes to be carried out. Therefore, by passing the correct labels to that log, the attacker will be able to make this component interact.
How? The server we are attacking executes the code by calling the Java Naming and Directory Interface ( JNDI ), passing it certain tags. Using specially designed URLs, we get the JNDI to do these searches to network resources such as LDAP, DNS or RMI (a Java remote interface).
The danger of the Log4Shell vulnerability
What this vulnerability produces is incorrect call validation, that is, data that is not trusted is trusted. This Log4J component is logging the information without going through a previous cleanup. Therefore, the attacker can modify the message to be stored in the log to confuse Log4J and achieve certain malicious actions.
As we indicated, there are Log4J functionalities -such as JNDI- that help the programmer to make the data of these Logs much clearer. For example, when saving user actions in the logs, instead of storing their identifier (” User 2547f52a44d52a has logged in”), Log4J performs an LDAP query with that identifier to the server and instead of indicating the user by his identifier stores it with your name. For example, it would indicate ” The user José Arroyo has logged in.”
Here, Log4J is doing a check against a local LDAP but if instead of doing it against a local LDAP, the attacker indicates a remote LDAP and also passes the attacker a series of commands that he has to execute. This is when the vulnerability is exploited and you cannot control whether whoever is logging in is an attacker.
When this functionality is enabled, and by default it is, it allows executing external resources. And since Log4J does not sanitize the URLs passed in these strings, it will allow the attacker to query servers outside the local network.
This vulnerability has been cataloged as CVE-2021-44228.
How To Protect Against The Log4Shell Vulnerability?
It is highly recommended to update to the latest version of this library, which at the time of writing this article is 2.17.0. Apart from this vulnerability, two more have been discovered that also affect Log4J version 2.15.0. The second allows DDoS denial of service attacks to be carried out and the third allows the exfiltration of sensitive data from the victims.
In turn, a vulnerability has also been found in version 2.16.0 that arose as a solution to the vulnerability discussed in the article. The severity of this vulnerability is classified as high (7.5) and allows a denial of service attack to be carried out and the impact is a total crash of the application.
Furthermore, as we have already seen, apparently innocuous applications (such as a PDF viewer) can be used to exploit this vulnerability.
Therefore, in addition to the servers, we have to try to keep the applications that we use on the computer up to date. And, if possible, locate information about a statement that the manufacturer has released indicating whether it has detected that vulnerability in its product.
Conclusion
As we have seen, the Log4shell vulnerability that affects Log4J is very critical and it is recommended to apply the patch that corrects it as soon as possible. In addition, other measures should be taken such as checking the applications that we have installed on our devices and, at least, use the latest versions and be aware of the publications regarding the manufacturer.
