The log4J zero day vulnerability being referred to as “Log4Shell” (CVE-2021-44228) was firsts discovered on December 9th, 2021, and is getting a lot of well-deserved attention because of its wide-reach and high severity. This log4J vulnerability allows for unauthenticated remote code execution and can be weaponized to allow the complete takeover of a vulnerable system. From there, hackers can deploy cryptocurrency miners or use botnets to plant malware or coordinate DDoS attacks.
What is log4j?
log4j is a ubiquitous Java logging library used by many large organizations, including major tech companies. Apple’s iCloud, Twitter, Tesla, Amazon, Cloudflare, and Minecraft all use it. In fact, hackers were able to gain access to Minecraft servers by crafting a special message in the chat box. At one point, Cloudflare was getting (and blocking) 20,000 exploit requests a minute!
How bad is it? It scored a perfect 10 (i.e. the most severe) on the Common Vulnerability Scoring System (CVSS) rating. The Dept of Homeland Security has even issued a warning about it. Part of what makes it so severe is that it is a “low skilled attack that is simple to execute.” (which explains the Cloudflare numbers and the persistence of the threat). It’s not just tech companies being affected–Canada’s Revenue Agency took precautions by taking their entire system offline, something they have done on two prior occasions in the last year. The province of Quebec reported that nearly 4000 of their websites use the library.
How do you fix the log4j Vulnerability?
This vulnerability affects anyone using Log4j 2 versions 2.0 through 2.14.1.The Apache software foundation has released a fix for it, but for many companies, logging is deeply embedded into their applications that it all might just be easier said than done. Apache does have stopgap mitigation recommendations that you can use in the interim, which might buy you some time as you upgrade your code to one of the mentioned unaffected versions. Many companies rely heavily on Java for their business applications, and it can be tricky (especially for smaller businesses) figuring out which of their systems are accessible via the internet–and therefore prone to attack. SOOS offers a Software Composition Analysis (SCA) solution that scans all the packages and dependencies in your applications, identifying known vulnerabilities and presenting data on their history and severity, as well as specifying what fixes exist. Setting up a SOOS scan is incredibly easy and affordable. Having a solution like SOOS would have sounded the alarm as soon as the vulnerability had been identified and documented, allowing your teams more time to investigate and remediate.