Log4J vulnerability alerted everyone around the world! In this article, we have covered everything you would like to know about this vulnerability, its effects, and affected systems.
The importance of data security has also increased significantly with the development of technology. Recently cyber security researchers discovered a vulnerability affecting millions of smart devices and systems on the Apache Log4j system.
Apache Log4j, which is responsible for keeping system logs, is actively used by many popular companies such as Red Hat, Twitter, Tesla, Apple iCloud, Amazon, Steam, Cloudflare, and Cisco. Some cyber security researchers shared information about the smart devices they hacked on Twitter.
Contents
What Is Log4J?
Log4j is a logging library, which is also known as a logging framework, developed by the Apache Software Foundation. You need the log4j.jar file and properties file where log4j definitions are made to use log4j. This properties file can be log4j.properties or log4j.xml files by default.
While Log4j is a java library that we can use in java applications, it also has other versions such as log4php (PHP logging), log4net (.NET logging), log4cxx (C++ logging). Log4j makes level-based logging, and users can set this level in the log4j.properties file.
Developers can also increase this level in case of a failure or crisis or reduce depending on their needs. When reduced, it writes fewer logs and uses minimum system resources. An additional trace log level has been added with Log4j version 1.2.14.
What Is Apache Log4J Vulnerability?
The cyber security industry is going through one of the most critical periods in its history. The Apache Log4j vulnerability affecting billions of actively used devices caused cyber security companies to spend extra hours.
The vulnerability published with the code CVE-2021-44228 allows hackers to take over systems with Apache Log4j with Remote Code Execution (RCE). RCE, known as remote code execution, allows hackers to gain full access to the system.
Hackers attack with a certain character sequence and run malicious code in the system logs of the application. Researchers who have published a Proof of Concept (PoC) on the subject states that the vulnerability possibly affected approximately 3 billion devices around the world.
The vulnerability affects Apache Log4j versions 2.0-beta9 to 2.14.1. but addressed with version 2.15.0 by Apache. Cyber security researchers stated that this vulnerability affected all Android and iOS devices.
Some cyber security researchers underlined that firewalls such as Cloudflare could not prevent Apache Log4j vulnerability as well
Which Systems Did Log4J Vulnerability Effect?
Log4J Vulnerability allows attackers who exploit the zero-day vulnerability to have full control over the systems. NIST is currently evaluating this critical vulnerability and they did not share anything about its CVSS score yet.
This vulnerability affected all versions of the log4j library between 2.0.1 and 2.14.1, including many services and applications written in Java.
What makes the vulnerability more critical is that the experts also published the PoC exploit code. Apache Foundation is the owner and developer of Log4j, and many enterprise applications and cloud services widely use it.
Experts believe that the vulnerability affected many fields from enterprise software to web applications, as well as companies such as Twitter, Apple, Amazon, Steam, and Cloudflare.
We warn our clients about the severity of attacks using CVE-2021-44228 RCE vulnerabilities. Many services are vulnerable to this exploit. With this news, cloud services like Steam, Apple iCloud, and apps like Minecraft turned out to be vulnerable too.
We also would like to note that any system using Apache Struts is probably vulnerable. We have seen similar vulnerabilities exploited in breaches such as the 2017 Equifax data breach.
What Can You Do for Log4J Vulnerability?
Apache released Log4j 2.15.0 to address the CVE-2021-44228 RCE vulnerability that has maximum importance.
You can minimize the vulnerability by setting the system property “log4j2.formatMsgNoLookps” to “true” in version 2.10 and above and removing the JndiLookup class from the class path.
We also urgently recommend upgrading log4j versions to log4j-2.15.0-rc1 to prevent exploitation of the vulnerability. Please feel free to contact us for further details or recommendations.