Why is Apache Log4j vulnerability so serious?

Author: Nyan Tun Zaw, VP, Athena Dynamics

Advisory Editor: Ken Soh, CEO, Athena Dynamics

Up until last week, a lot of us probably wouldn’t be aware of what is Log4j and whether we have them in our systems. With the discovery of CVE-2021-44228 (also known as Log4Shell) by a researcher from Alibaba Cloud Security Team, Chen Zhaojun, it has now become a nightmare for IT / enterprise security teams / product vendors all over the world, the majority of which has been using Log4j in one way or another.

Apache Log4j is a logging library that is widely used in java-based applications all over the world. With the popularity of Java language used in various products and solutions, the range of exposure caused by this vulnerability is extremely broad. Every application has some form of logging mechanisms in order for the developers to understand how users are interacting with it, whether there are any problems, bugs, etc., which can then be used for troubleshooting purposes. This means majority of the Java applications would have been using this library for logging purposes.

From security point of view, the reason why Log4j’s impact is so huge (with CVSS score 10 out of 10 for CVE-2021-44228) was due to a few key reasons:

1. The sheer volume of affected systems and products all over the world

Major global entities like Amazon Web Services, Google Cloud, Broadcom, Cisco were all reported to have been affected

2. Being a remote code execution vulnerability

RCEs are always one of the worst to have because it allows malicious attackers to run any code on the affected PC/server and access everything in the file system, meaning that malicious attackers can make use of this for any purpose that suits their needs (e.g. to deliver ransomware, spyware, APT, cryptominers, etc.,)

3. The easiness for malicious attackers to exploit this vulnerability

To exploit this, the attacker just needs to craft a specific string of code and get the system to log it (e.g. sending this string of code in login forms, contact us forms, changing username into this string, etc.,)

It has already been reported that various APT groups and cybercriminals are trying to take advantage of the fact that everyone is still rushing to fix this and delivering their malwares via this exploit. With that, it is highly recommended for everyone to stay vigilant and make sure all the systems being used are patched from this vulnerabilities (all the major vendors have been rushing to push out the patches) and if unsure, do check with your product vendor ASAP to avoid any potential effect on your system.

As always, it is good to perform Vulnerability Assessment and Penetration Testing (VAPT) or compromise assessment in your systems afterwards to make sure that everything is patched and there are no lurking APTs still remaining in your network – either via traditional human-based penetration testing or robotic penetration testing tools. We have also written about some quick differences between the two approaches here.

Please do reach out to us if you would like to find out more on how you can improve your cybersecurity posture.

Disclaimer: The opinions and outcome of best practices introduced in this material may vary due to environmental and contextual parameters. Neither BH Global Corporation Ltd, Athena Dynamics Pte Ltd nor the writers is responsible for any direct or indirect implications/impacts to the readers due to the adoption of these practices