Minute Read: 2 minutes

LOG4J security vulnerability (Log4Shell)

On Nov. 24th 2021 a severe security vulnerability, called “Log4Shell”, has been reported in the JAVA framework “Log4J” 2.x which is widely used for event logging in JAVA applications worldwide.

The vulnerability allows cyber-attackers to execute arbitrary code by injecting it into a logging process implemented in Log4J. The “Log4Shell” vulnerability allows complete server takeover by the attackers.

The vulnerability is described in the National Vulnerability Database (NVD) here: CVE-2021-44228  and  CVE-2021-45046.

There is ongoing effort to understand the full impact of the vulnerability and its implications on threats and exploits. It may take months to understand its complete fallout and impact.

Since Dec. 15th 2021 there is a fix available with Log4j version 2.16.0.

How does the cyberattack using the Log4J bug work?

Log4J Bug

More information can be found here

How can I find out if I’m affected?

Although it depends on several conditions (environment, configuration etc.,) there is a rule of thumb to check if your system or application is affected:

Look for the following files in your system or application directory:

  1. Log4j-api-{VERSION}.jar
  2. Log4j-core-{VERSION}.jar

NOTE:

  • BOTH files are required for being affected. If you find only Log4j-api-{VERSION}.jar, you are NOT affected, as posted at TRUESEC, MICROSOFT and on LinkedIn.
  • All VERSIONS from 2.0-beta9 to 2.14.1 are affected.
  • If you find other similar sounding libraries (like syslog4j, etc.), you are NOT affected.

Although its rather tedious to look for vulnerabilities in complex enterprise ecosystem, it’s recommended to leverage platforms that allow to rapidly search enterprise assets for software that are suspectable to Log4j vulnerability.

Recommendations if you are affected

If you find BOTH files, there is still a chance not to be affected as your application or system must ALSO utilize Log4J. To find out if your application or system is using Log4J, please contact your corresponding software supplier.

In any case, as the patched Log4j version 2.16.0 is available since December 15th 2021 (here), apply the corresponding security patches from your software suppliers.

If patching is not possible, you may check the following link for further recommendations: https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

Companies should patch their security updates frequently to minimize and mitigate such vulnerabilities in future. It may take some amount of time and resources to identify and patch this vulnerability.

Is SECUDE Software affected?

NO.

SECUDE has analyzed in detail the case to understand if any software component is affected.

RESULT: Log4J is not utilized by SECUDE Software or its dependencies.

Although the Log4j-api-{version}.jar and Log4j-to-slf4j-{version}.jar are delivered (both can be found in {installation directory/application_name}/WEB-INF/lib.) in some applications and versions of SECUDE as a 2nd order dependency, the Log4j-core-{version}.jar is NOT delivered.

Thus, there is NO RISK for Log4Shell vulnerabilities.

Authors and Contributors: Holger Huegel & Philipp Meier

References:

https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

https://www.securityweek.com/industry-reactions-log4shell-vulnerability

https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html

https://www.truesec.com/hub/blog/apache-log4j-injection-vulnerability-cve-2021-44228-impact-and-response

https://www.linkedin.com/pulse/log4shell-cve-2021-44228-apache-log4j2-surendra-kumar-sunkara

https://logging.apache.org/log4j/2.x/download.html

Comments are closed.