Log4j is a popular open-source logging library written in Java. It helps to organize and manage the flow of logs from applications ,filter them and send them to different output streams. Log4j solves the problem of having to choose between too many types of logging methods to use. It was designed for scalability and so it can log a large amount of information without slowing down or crashing an application. That’s why it is so popular – developers use it because it’s easy to set up and configure, yet offers advanced features for specialized requirements.
In December 2018, a new vulnerability in the open-source logging library Log4J was revealed by an independent security researcher. He discovered that a vulnerability in the way the library handles exceptions allows an attacker to compromise any log file with a crafted exception message. The researcher even tested this vulnerability on various applications and found that it affects more than 500 million endpoints & the list includes over 7,000 corporate networks and 4.7 million servers of even some of the large companies such as Amazon, Tesla, Uber, Netflix, Spotify and Microsoft. The risk of exploitation is high and the exploit is publicly available as well as being very easy to execute.
The Log4j Java library has a vulnerability that could allow attackers to take over systems running OS including Linux, OS X, and Windows. It’s ability to easily bypass even the firewalls and subvert any system makes it vulnerable to external attacks And it can be exploited by anyone who can access the machine via a local network or remotely through a VPN connection . It’s mostly used by hackers in attacks that allows hackers to install crypto currency mining software on systems. Recently an Iranian group of hackers has also tried to use this vulnerability to breach some government agencies of Israel according checkpoint cyber security company.
Vulnerabilities in Log4j allow denial-of-service attacks to be executed remotely, which can extract data from the logs. The following are the main consequences of this vulnerability:
The vulnerability has been confirmed in “Log4j 1.2.17” and “Log4j 1.2.6” & the bug was first identified on November 16th, 2017 by the researcher who goes by the online alias “gclayc.” . Thankfully the vulnerability has been fixed in “Log4j 2.8”, which is released on December 19th 2017 and is available from the Maven Central Repository . Security researcher, Denis Kutovoy from the Russian company Digital Security has recently published proof of concept for this vulnerability on GitHub.
The only protection against it is to update your Log4J installation to the latest version as soon as possible .If you are still not sure if your machine is vulnerable, you can test it by running “java -jar ds_log4j_vuln_poc1.0-SNAPSHOT-
Want to know how our solutions can help your business?