The story so far: Log4j is a widely used software logging library for Java software. Earlier this month, information about a critical security vulnerability in the library was publicly disclosed by the Apache Foundation, a non-profit entity supporting the development and maintenance of a number of open source software projects, including software such as Apache Tomcat, which is an HTTP web server written in Java, Apache AsterixDB, which is a big data management system, and among others, Apache Log4j.
- Log4j is a widely used software logging library for Java software which was recently exposed by the Apache foundation for having serious security vulnerabilities.
- An attacker exploiting the vulnerability could potentially execute arbitrary, malicious code on an affected system.
- To rectify this breach, the Apache Foundation released patches for various software projects using vulnerable versions of the Log4j library. Companies that use the library in enterprise software also made updates and security patches available to their customers.
How bad is the vulnerability?
The vulnerability affects a component of the library meant to allow for the insertion of arbitrary system and Java environment variables within software logs. An attacker exploiting the vulnerability could potentially execute arbitrary, malicious code on an affected system. However, it has been noted by some that the possibility of remote code execution on live systems is circumstantially limited, and that it varies from one environment to another.
The vulnerability presents a large attack surface particularly due to the ubiquitous use of the Log4j library in Java software. An advisory issued by the Apache Foundation mentions at least a dozen other software projects backed by the organisation as being affected as a result of Log4Shell.
At the same time, it is not just open source software that is affected. Many proprietary applications developed and used by large companies rely on the Log4j library for logging purposes and are similarly vulnerable.
Has the vulnerability been exploited yet?
Cloudflare, a company that manages a sizeable portion of Internet traffic, mentioned in a blog post analysing the Log4j vulnerability that attackers started attempting to exploit the vulnerability a mere nine minutes after it had been publicly disclosed. At the same time, the blog post also notes that a small set of exploitation attempts, or “test runs,” were made more than a week prior to the vulnerability being publicly disclosed. While this could be an instance of a phenomenon known in security research as “parallel vulnerability discovery,” - where a particular undisclosed vulnerability may be discovered by multiple parties at the same time - it could also suggest that knowledge about the vulnerability was shared with others by an individual or group who happened to discover it.
The Apache Foundation released patches for various software projects using vulnerable versions of the Log4j library. Companies that use the library in enterprise software also made updates and security patches available to their customers shortly after the vulnerability was identified.
At the same time, companies that offer web application firewalls were quick to block various Log4Shell exploitation payloads. Remediation techniques shared by the larger information security community also proved helpful to mitigate risk.
What is a zero-day vulnerability and is log4j one of this kind?
A 0day (or zero-day vulnerability) refers to a security flaw which has not been publicly disclosed and for which a software patch or remediation technique is not available.
Considering that attempts at exploiting Log4Shell were observed at least a week prior to it being publicly disclosed, it could be said that it was a 0day vulnerability, however, only for a very brief period.
Karan Saini is a security researcher and technologist based in Bangalore. You can reach him at karan@networkhound.com.