December 10, 2021 saw the public disclosure of one of the most serious vulnerabilities on the internet in the past 12 months.
What happened? A day prior on December 9th, a critical (CVSSv3 10) remote code execution vulnerability in Apache's Log4j technology was disclosed. Hackers had developed a proof of concept (POC) to exploit the flaw and target more than 40% of corporate networks worldwide.
As nearly a third of all web servers worldwide had been compromised, this was a potentially disastrous situation.
What is Log4j, and how is it exploited?
Log4j is an open-source Java library that is widely used to perform application logging of Java-based programs. If you’ve ever worked with a Java app, you’ve probably seen this library being used!
This is where it gets interesting. The public disclosure of the vulnerability allowed remote actors to send a crafted HTTP packet to Apache servers running the software below Log4j 2.15.0. When received by the application, it stores the HTTP request as a legitimate log, and then executes the contents of the payload. Why is this so scary? Well, this interaction doesn’t require the threat actor to have credentials on the target! The presence of the vulnerability alone, coupled with a working internet connection is enough for the threat actor to gain access to the device!
According to Apache’s advisory, all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled.
Why is this situation so concerning?
Open-source security has been a topic of discussion over the last year and this recent headline emphasises the risky practice of relying on open-source code libraries to build enterprise-scale applications.
The vulnerability that was originally discovered on servers that host the game Minecraft, has been labelled the single biggest, most critical vulnerability of the last decade, but why?
Two reasons:
- The ubiquity and reliance of this library within Java applications
- Ease of exploitation
At The Missing Link, we will continue to provide updates on the ongoing impact and recommended mitigations for this exploit as the community at large deepens their knowledge and understanding of its impact.
For now, let’s look and learn from the impacts of this breach.
Impacts and lessons
Log4j is widely used in business system development, included in various open-source libraries and in major software applications. Therefore, this is a cross-platform vulnerability and is exploitable on both Linux and Windows.
The vulnerability allows an unauthenticated threat actor to initiate LDAP traffic to an attacker-controlled node from the Java Naming and Directory Interface (JNDI). The attacker-controlled node will respond with a malicious Java class file that then begins running on the victim server.
Sadly, the results of this vulnerability will have ripple effects for many years to come. Log4j is used widely by both enterprise applications and cloud-based services.
The nature of the flow on effect (message queue servers and database servers might be affected as a secondly outcome) it’s highly likely that almost all companies might be at some risk from this vulnerability.
Most vulnerabilities are easily dealt with, through patchinh. However, the ubiquity of this library within contemporary applications has presented some real challenges.
The ease of exploiting the vulnerability compounds its impact. The Log4j 2 library controls how applications log strings of code and information. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker’s control. Attackers can remotely take over any internet-connected service that uses certain versions of the Log4j library anywhere in the software stack.
Action plan
From Log4j version 2.15.0 and above, the vulnerable behaviours identified have been disabled by default.
Organisations should reach out to their application vendors or ensure their Java applications are running the latest up-to-date version. Developers using Log4j 2 should ensure that they are upgrade to the latest version of Log4j at the earliest.
Best response plan:
Our expert team at The Missing Link are already acting in response to the Log4j software vulnerability. This includes:
- Manage the threat, while updating the blocking of any vulnerable instances of software, to include Log4j
- Methodically using vulnerability scans across all infrastructure to detect threats and manage security on managed devices and apps
- Acting on all indicators of compromise
- Implementing controls on in-line network and endpoint devices
Additionally, The Missing Link have created custom rules to detect possible exploitation of Log4j that will raise an instant incident.
This whole saga shows us just how important it is to monitor threat intelligence, know your environment, and be able to manage risk quickly. There will always be bad actors who wish to use any latest vulnerabilities for their own gain. So it pays to be alert, aware, and able to respond fast!
The Missing Link have Cyber Security Solutions to keep your business, data, systems, network, and users secure. Interested in our Cyber Security services? Get in touch with our friendly team today.
If you liked this article, you may also like:
Cyber Security Operations: it's not not about the tools alone
