What is the Log4j vulnerability and which are the latest updates?

What is Log4j?

Log4j is an open-source Java logging library that represents one of the many building blocks that are used in the creation of today’s modern software. Developers use it to keep track of problems for users and what happens in their software applications.

Who discovered the Log4j vulnerability?

A security engineer at Alibaba Cloud, by the name of Chen Zhaojun, was identified as the first person to discover the Log4J vulnerability. Alibaba Cloud is now facing backlash from government regulators because they reported it directly to Apache, rather than first report it to the Ministry of Industry and Information Technology (MIIT). According to Reuters, Zhaojun informed Apache on November 24, and the MIIT was later informed by a third party on December 9.

How dangerous is this vulnerability?

Cyber threat actors are now scanning networks to potentially exploit CVE-2021-44228 (or “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Log4Shell allows the adversary to take full control over the system, and this is why it is considered the most dangerous. CVE-2021-45046 and CVE-2021-45105 both enable a remote attacker to cause a denial-of-service (DoS) condition in certain non-default configurations or, respectively, in all non-default configurations.

Given the above, this vulnerability has affected a wide range of services and global companies, among which we can name Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware.

This vulnerability requires very little expertise to exploit, and that is why Log4shell could potentially be the most severe computer vulnerability we have seen in years. Additionally, the script for this exploit is available online, and anyone can execute it.

Worldwide measures

The Cybersecurity & Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom have released a joint Cybersecurity Advisory in response to the multiple vulnerabilities in Apache’s Log4j software library, which you can read here.

This joint Cybersecurity Advisory details the recommended steps that vendors and organizations with information technology, operational technology/industrial control systems, and cloud assets should take to respond to these vulnerabilities. A previously published vulnerability guidance can also be found here. Moreover, CISA and a lot of large cybersecurity companies have also developed different scanners for this vulnerability.

They also assess that exploitation of these vulnerabilities, especially Log4Shell, is likely to increase and continue over an extended period. It is crucial for everyone to stay on top of the latest security vulnerabilities, as well as the updates and patches issued to remedy them.

Timeline

The Log4j vulnerability affects any systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.15. Since December, several of patches have been released against this vulnerability, and we look forward to others in the near future.

Below is a timeline of the Log4j vulnerability discoveries, news, security advisories, and patches.

November 24 – Chen Zhaojun informs Apache of the Log4j vulnerability.

November 26 – The vulnerability is registered in the CVE list.

December 9 - The Log4j vulnerability is disclosed worldwide.

December 10 – The CVE-2021-44228 vulnerability, or Log4Shell, is disclosed.

December 10 – Cloudflare adds new rules for its firewall that blocked HTTP requests containing strings characteristic of the Log4j attack code.

December 10 – VMware and Cisco add patches for the vulnerability.

December 11 – The Director of the Cybersecurity and Infrastructure Security Agency (CISA) releases a statement regarding Log4j.

December 12 – cPanel releases a patch for the Log3Shell vulnerability. Regarding cPanel, this vulnerability only affected the Apache SOLR plugin.

December 15 – The second vulnerability, CVE-2021-45046, is discovered.

December 15 - Apache immediately issues a patch, Log4j 2.16.0.

December 15 – cPanel releases an updated patch for the second vulnerability.

December 16 – The third vulnerability, CVE-2021-45105, is discovered.

December 17 – CISA issues Emergency Directive (ED) 22-02: Mitigate Apache Log4j Vulnerability.

December 18 – Apache releases version 2.17.0 of the patch for Log4j after discovering issues with their previous release.

December 20 - Log4j exploited to install Dridex malware on Windows and Meterpreter on Linux.

December 22 - CISA releases its own Log4J scanner.

December 27 – Microsoft issues new services designed to protect its users against exploitation of Log4j vulnerabilities.

December 28 – The fourth vulnerability, CVE-2021-44832 is discovered.

December 28 – Apache fixes a new arbitrary code execution vulnerability in Log4j. Newly released Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) all address CVE-2021-44832.

December 29 – Microsoft Fixes False Log4j Positives: Microsoft Defender for Endpoint suffered some Log4j false positive reports, but Microsoft has updated the security software to correct the issue.

December 29 - Aquatic Panda, a China-based hacker group, has attempted to infiltrate an academic institution through the Log4j vulnerability. The bug involved VMware’s software, according to SC Media.

January 3 - Microsoft updates its guidance for preventing, detecting and hunting Log4j vulnerabilities.

January 4 - FTC warns companies to remediate Log4j security vulnerability.

Staying on top of your cybersecurity

You need to stay updated regarding security vulnerabilities and immediately update systems, applications, and services as soon as new patches are released. Our clients can rest assured that we are doing our best to proactively check and secure our servers and applications.