A security flaw in a widely-used open-source tool has exposed millions of websites to potential attacks, according to a report by The Record. The vulnerability affects Apache Log4j, a Java-based logging library that is used by many web servers, applications, and frameworks.
What is the vulnerability and how does it work?
The vulnerability, tracked as CVE-2021-44228, allows attackers to execute arbitrary code on the target system by sending specially-crafted log messages to the Log4j library. The log messages can contain malicious commands that are executed when the library processes them.
The vulnerability is caused by a feature of Log4j called “lookups”, which allows developers to insert dynamic values into log messages. For example, a lookup can be used to insert the current date, the user name, or the system environment variables into a log message.
However, the feature also supports a lookup called “JNDI”, which stands for Java Naming and Directory Interface. JNDI is a Java API that allows applications to access various naming and directory services, such as LDAP, DNS, or RMI. By using a JNDI lookup, an attacker can trick Log4j into fetching a malicious Java class from a remote server and executing it on the target system.
The vulnerability is extremely easy to exploit, as it only requires sending a single log message to the vulnerable Log4j library. The message can be sent through various channels, such as HTTP requests, email headers, or TCP connections. The attacker does not need any authentication or prior access to the target system.
What is the impact and who is affected?
The impact of the vulnerability is potentially huge, as Log4j is one of the most popular logging libraries for Java applications. It is used by many web servers, such as Apache Tomcat, Jetty, and GlassFish, as well as by many web frameworks, such as Spring Boot, Struts, and Hibernate. It is also used by many other applications and platforms, such as Minecraft, Elasticsearch, Kafka, and Solr.
According to GitHub’s annual State of the Octoverse report, 94% of projects rely on open source components, with close to 700 dependencies on average. Log4j is one of the most common dependencies for Java projects, with over 65 million downloads per month.
This means that millions of websites and applications are potentially vulnerable to remote code execution attacks through this flaw. The attackers can use the vulnerability to steal sensitive data, install malware, perform denial-of-service attacks, or take over the entire system.
What are the mitigation and remediation steps?
The Apache Software Foundation has released fixes for the vulnerability on December 10. The fixes are available for Log4j versions 2.x and 1.x. The recommended solution is to upgrade to Log4j version 2.15.0 or later, which disables JNDI lookups by default. Alternatively, users can apply patches for older versions of Log4j that disable JNDI lookups or limit them to specific protocols.
Users who cannot upgrade or patch their Log4j versions can also apply some temporary workarounds to mitigate the risk of exploitation. These include:
- Setting the system property “log4j2.formatMsgNoLookups” to “true” for Log4j 2.x versions prior to 2.10.
- Removing the JndiLookup class from the Log4j-core.jar file for Log4j 2.x versions prior to 2.15.
- Setting the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to “true” or adding “-Dlog4j.formatMsgNoLookups=true” to the Java command line for Log4j 1.x versions.
- Blocking outbound traffic from the target system to potentially malicious domains or IP addresses that host malicious Java classes.
Users are advised to monitor their systems for any suspicious log messages or network activity that may indicate an attempted or successful exploitation of the vulnerability. Users should also check their dependencies for any transitive use of Log4j and update or patch them accordingly.
How can users prevent similar vulnerabilities in the future?
The vulnerability in Log4j highlights the importance of securing open source software and its dependencies. Open source software is widely used and trusted by many developers and organizations, but it also comes with potential risks and challenges.
One of the challenges is keeping track of all the dependencies and their versions that are used by a project. Dependencies can introduce vulnerabilities that may not be detected or fixed in time by the maintainers or the users. According to GitHub’s report, it can take an average of over four years for vulnerabilities in open source software to be spotted.
Another challenge is ensuring that the dependencies are compatible and consistent with each other and with the project’s requirements. Dependencies can have different licenses, standards, and features that may conflict or cause issues with each other or with the project’s functionality.
To prevent similar vulnerabilities in the future, users should adopt some best practices for managing and securing their open source dependencies. These include:
- Using tools and services that can scan and analyze the dependencies and their vulnerabilities, such as GitHub’s Dependabot, Snyk, or WhiteSource.
- Updating and patching the dependencies regularly and promptly, especially when critical vulnerabilities are discovered and fixed.
- Reviewing and testing the dependencies and their changes before integrating them into the project, and ensuring that they meet the project’s quality and security standards.
- Reducing and minimizing the number of dependencies and their complexity, and avoiding unnecessary or outdated dependencies that may introduce security or performance issues.
By following these best practices, users can reduce the risk of exposing their systems and applications to potential attacks through open source software vulnerabilities.
