The internet vulnerability Log4Shell, which affects millions of machines, is caused by Log4j, an obscure but practically ubiquitous piece of software. The program is used to track a variety of operations that occur behind the scenes in a variety of computer systems.
Hackers are scouring the internet for unprotected servers and configuring devices to send malicious payloads. They query services (for example, web servers) and try to trigger a log message to carry out an attack (for example, a 404 error). The query contains maliciously designed text, which Log4j interprets as commands.
These instructions can either generate a reverse shell, allowing the attacker’s server to control the targeted server remotely, or they can make the target server a botnet member. Botnets are groups of hijacked computers that work together to carry out coordinated acts on behalf of the hackers.
What is Log4j?
The internet vulnerability Log4Shell, which affects millions of machines, is caused by Log4j, an obscure but practically ubiquitous piece of software. The program is used to track a variety of operations that occur behind the scenes in a variety of computer systems.
What does Log4j do?
Log4j keeps track of events, such as faults and ordinary system processes, and sends out diagnostic warnings to system administrators and users. It is an open-source software provided by the Apache Software Foundation.
When you enter in or click on an invalid weblink and get a 404-error message, that's an example of Log4j at work. There is no such webpage, according to the webserver that hosts the domain of the web link you attempted to access. It also uses Log4j to log the occurrence for the server's system administrators.
Throughout software programs, similar diagnostic signals are employed. Log4j is used by multiple organization or any online system to log activity such as total memory utilized and user instructions sent into the console.
How does Log4Shell work?
Log4Shell works by exploiting a Log4j feature that allows users to specify custom code for log message formatting. If a separate server keeps a directory linking user names and actual names, this feature allows Log4j to log not just the username associated with each attempt to log in to the server, but also the person's true name. The Log4j server must interact with the server that stores the real names in order to do this.
This type of code, however, may be used for more than merely formatting log messages. Third-party servers can upload software code to Log4j that can conduct a variety of tasks on the targeted server. This allows for hacking such as stealing sensitive data, seizing control of the targeted system, and spreading malicious content to other systems and users.
Log4j is everywhere
The place of Log4j in the software ecosystem is one of the primary issues concerning Log4Shell. It's used in a broad variety of programs from software development tools to security products, in addition to popular games like Minecraft. It's also used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide range of applications from software development tools to security tools.
As a result, hackers have a wide range of targets to pick from, including ordinary people, service providers, source code developers, and even security experts. While large corporations like Amazon can swiftly fix their online services to prevent hackers from abusing them, many more enterprises will take longer to do so, and others may not even realize they need to.
How do you fix the issue?
Because Log4j is frequently packaged with other applications, it's difficult to tell if it's being utilized in any specific software system. This necessitates system administrators inventorying their software to see whether it is present. It's considerably more difficult to eliminate the vulnerability if some people are unaware that they have a problem.
Because of Log4j's many applications, there is no one-size-fits-all approach for patching it. Various ways will be required depending on how Log4j was integrated into a specific system. It might necessitate a full system upgrade, as some Cisco routers have done, or upgrading to a new version of the software, or manually eliminating the susceptible code for individuals who can't update their program.
Log4Shell is part of the software supply chain. Before being packaged into a finished product, software, like physical items, passes through various organizations and software packages. When something goes wrong with the software, it is frequently "patched," which implies it is rectified in place, rather than going through a recall procedure.
However, because Log4j is used in so many different ways in software, spreading a remedy involves collaboration from Log4j developers, software developers that utilize Log4j, software distributors, system operators, and users. Typically, this causes a delay between when the remedy is released in the Log4j code and when people's computers close the door on the vulnerability.
Time-to-repair estimates for software often range from weeks to months. However, if historical performance is any indication, the Log4j vulnerability will continue to be exploited for years to come.
CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell." Log4j is used to log security and performance information in a range of consumer and corporate services, websites, and apps, as well as operational technology solutions. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
Organizations are urged to upgrade to Log4j 2.17.0 (for Java 8), 2.12.3 (for Java 7) and 2.3.1 (for Java 6), and review and monitor the Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.
Reference:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896
