The purpose of this article to explore what is the remote code execution attack and vulnerability, how to protect against it, discuss the current log4j security issue, and its impact on the Internet. The article will discuss the patch to fix the log4j vulnerability that will mitigate the issue.
Some experts believe that the log4j vulnerability found on December 9, 2021, by Alibaba is the largest security issue reported in history because of its impact on the millions of computers that use log4j on a daily basis.
Introduction to the remote code execution attack
When software is created, it goes through a software development process that starts at the requirements stage, through design, through implementation, and thorough testing. During the testing phase, testers works on trying to find as many bugs in the software. A software bug is an error and/or flaw in the code that causes an unexpected result in its execution. Testers can only find so many bugs in software before it is released. There are additional bugs that are found during the day-to-day usage, document, and depending on the severity a patch is created and installed.
Software bugs become vulnerabilities when the bug can be used to exploit the software to do nefarious things. Attackers love vulnerabilities because it allows them to bypass the layers of security put in place to protect systems. One such attack is called a remote code execution attack.
So, what is a remote code execution attack? An attacker can use a vulnerability in software or operating systems to remotely execute malicious code on a host. An attacker can install a malicious payload on a system that is running software that is vulnerable. Once installed, attackers can run the malicious code to do damage to a host and network.
The impact of this type of attack can be anything from malware execution to ransomware to malicious code designed to completely take over a system. Prevention of this type of attack is to keep updating software and operating systems. Make sure to patch your systems continually. Software updates is the key way to prevent these attacks once they are known.
The recent example of log4j shows how vulnerable that millions of systems can be and the damage that can be done with a software bug. Let’s explore Apache’s log4j.
Overview of Apache’s log4j
Logging is an important part of a lifecycle of an application from requirements, design, testing, and production. During development, programmers use logging to help debug their code. During testing, logs are used to isolate bugs that are documented by the testers. During production, logging is used to monitor a running application and respond to high severity events that occur during the normal operations of an application.
Apache’s log4j is an open-source logging tool written by Ceki Gulcu in the Java Programming Language. Every large application written uses a logging tool to allow for reporting and debugging of applications in Java. Log4j logs events up to 8 different levels of events including errors and routine events. Logging is very useful for software developers to find issues with the software during testing and also in production.
The architecture of log4j from Apache is shown below.
Source: Apache log4j docs
Programs that use log4j request a logger from the LogManager. The LogManager locates a LoggerContext which obtains the Logger. Then the Logger is used to write events to a log-on system. There are 8 event levels for log4j that can be used by an application to write out to the log.
Apache’s log4j vulnerability
There are three documented security vulnerabilities with log4j 2 which include CVE-2021-45105, CVE-2021-45046, and CVE-2021-44228. CVE-2021-45105 documents that Apache log4j’s lookup evaluation does not protect from infinite recursion which could result in a denial-of-service (DOS). CVE-2021-45046 documents the remote code execution vulnerability in the Apache log4j 2.15.0 version. CVE-2021-44228 documents remote code execution because of the unsafe protocols used like JNDI by not restricting the names that can be resolved.
Log4Shell attack allows for users to have custom code to format a log message. It has to communicate with a directory server if it wants to log a user’s real name. This could result from infinite recursion so the software loops forever until resources are used up and cause a failure. Log4j allows for custom code that can be run to do all kinds of nefarious activities on a server such as stealing user credentials, taking over the target system, putting malware onto a system, and other malicious activities.
Results of the log4j vulnerability
Cybersecurity researchers have found that ransomware and other types of malware have been created to exploit the log4j remote code execution vulnerability. Some have reported that additional malware strains such as Dridex which target financial institutions have been reported on Windows computers. Dridex is a piece of malware that steals bank credentials from systems that use macros from Microsoft Word. Another example is an attack against the defense ministry of Belgium has been reported. Botnets are being used to deploy denial-of-service (DOS) attacks abusing the flaw in log4j. A botnet is a piece of bot malware that can be controlled remotely by an attacker to cause a denial-of-service attack. The issues are widespread and affect millions of computers around the world which makes it one of the largest security issues in history.
Apache’s log4j patch
The mitigation strategy for all three vulnerabilities is to upgrade log4j to version 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 or higher). For older versions of log4j refer to the Security page.
In this article, we explored the remote code execution attack, its prevention, and an exploration of the log4j vulnerability and the mitigation strategy. Log4j provides us with a warning of the importance of upgrading and updating software on a continual basis. Also, the need for better testing and automated testing to find the bugs before they happen.
If you have any questions or comments, please leave them below. We appreciate any and all comments from our readers. Thanks.
I am DrM, founder of http://techninjamasters.com. I have been working, learning, teaching, coaching, consulting, writing in technology for over 40 years.