Responding to the Log4Shell Vulnerability

Responding to the Log4Shell Vulnerability

Brad Ediger

December 15, 2021

Over the last week, cybersecurity experts and developers around the world have scrambled to understand and mitigate a frightening zero-day vulnerability in a popular Java library. The scope and severity of the Log4j vulnerability are both alarming.

Fortunately, teams have been quick to respond with patches to resolve the issue. Unfortunately, due to the type of vulnerability and the ubiquity of the library, implementing these patches is not as simple.

In this blog, we’ll explain what happened, how you can mitigate the situation, and provide you with some resources to help you get started protecting your system.

What Happened?

Log4j is a popular Java logging library that’s used in multiple parts of the Java ecosystem to let developers record activity within their software. Version 2 of Log4j has support for many features, although some of them are combined together in dangerous ways.

The new exploit — commonly called Log4Shell and officially named CVE-2021-44228 — allows attackers to insert code into a log message that manipulates Log4j’s functions within your system. Because modern applications often log untrustworthy data (such as the contents of an HTTP request), there are many ways for an untrustworthy attacker to leverage this vulnerability. And because Java is embedded throughout the entire ecosystem — from your smartphone to the basic infrastructure that supports the public Internet — this vulnerability can have devastating consequences.

Since the vulnerability existed in the default configuration of Log4j, it has affected many organizations, even those who were taking all reasonable precautions against known issues. As a “zero-day” vulnerability, the existence of the problem was unknown before its public disclosure.

Teams have been quick to act, and the mature players in the industry are all actively protecting against this flaw. Your system will need to incorporate any fixes to your third-party providers, and in many cases, your team also will need to respond to protect against the vulnerability in your own codebase.

Should I Worry and How Can I Mitigate This Situation?

Yes, you should worry about this vulnerability as it’s an extremely serious problem. Many groups are actively exploiting it, and if you have vulnerable systems on the public Internet, they may already be compromised.

At the time of writing, the most sure way to avoid these vulnerabilities is to ensure that Log4j cannot use JNDI and does not perform message lookups. The Log4j configuration in version 2.16.0 has defaults which mitigate the problem by disabling both JNDI and message lookups.

You should continue to check third-party software you are running for critical updates, as vendors across the world have been working to patch this vulnerability since its announcement.

Tools like log4j-detector may help monitor systems for attempted exploits. However, this is a fundamentally reactive strategy: once the alarm trips, the horse may already be out of the barn.

For software that is written or maintained in-house, refer to the Log4j Security reference page, which provides details of affected versions and detailed mitigations. It has important information for those implementing fixes, including warnings about some occasionally suggested mitigations that are not sufficient to fix the entire problem.

Have Questions or Concerns?

Reach out. We can help determine if you’re affected, assess your risk, and walk you through mitigation options.

Read More

Brad Ediger

Head of Technology

A staple in the Chicago tech scene since 2005, Brad Ediger serves as our Head of Technology with a focus on growing 8th Light's profile as a software consultancy. He joined 8th Light in 2019 when he merged his independent consultancy with the company.