What is the Danger of Log4j?
Log4j is used extensively in Java server and client applications developed in the last 10 years. The logging library allows messages containing format strings to reference outside information using the Java Naming and Directory Interface (JNDI). Using various protocols like LDAP, the information can be retrieved remotely. Attackers can insert JNDI references to redirect traffic to LDAP servers under their control and run malicious code at will.
Taking advantage of CVE-2021-44228 provides hackers with multiple methods of attacking a vulnerable system. They can perform remote code execution, giving them access to all data resources on the target machine. This power enables malicious actors to delete important files or encrypt them and hold the resources for ransom. Any system employing a vulnerable version of Log4j can be attacked.
Apache Log4j is the only service impacted by this vulnerability. Applications that use the log4j-core JAR file can be attacked. Systems using the log4j-api JAR file without the log4j-core JAR file are not affected.
The solution for systems exhibiting this security exposure is to patch the affected system. This can be challenging due to the sheer number of systems involved and the need to test operability after patching is complete. Apache recommends users Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later) and that the JDBC Appender is only configured for Java. More detailed information and the latest patches from Apache are available on this website.
What Log4j Means for Cloud Instances
The Log4j vulnerability is impacting the offerings of all major cloud vendors. Here are some examples of how some popular cloud platforms are addressing this widespread security problem.
Google - The company recommends that Google Cloud Marketplace and Google Workspace customers review all third-party apps from a security standpoint. All customers should upgrade to the latest version of Log4j. Google also offers multiple tools that provide a layered defense from hackers including:
- Cloud Armor
- On-Demand Scanning
- Enforcing binary authorization deployment rules.
Microsoft - Microsoft’s security team has identified the exploitation of this vulnerability by nation-state actors from China, North Korea, and other countries. The company suggests customers should employ Microsoft Defender for Cloud and Defender for Containers as well as other tools to determine their exposure.
Amazon - Amazon Web Services also provides guidance for customers potentially affected by Log4j. The tools available to identify and mitigate the impact of the vulnerability include the Web Application Firewall (WAF), the Route 53 Resolver DNS Firewall, and the AWS Network Firewall. Amazon Inspector and GuardDuty help determine if the vulnerability affects your systems.
The Log4j issue highlights the vulnerability inherent in using shared software components. Since it is impossible to eliminate their use, organizations need to operate with a heightened sense of vigilance in protecting the credentials that allow intruders to access sensitive information. Malicious actors will take advantage of any opening to compromise your systems.