What Everyone Ought to know about Log4j

Log4j is a tool developed by the Apache Software Foundation written in java and used as a logging framework. It is an open-source Java API used for logging and this java logging library is incorporated widely into various apache applications to track activity within an application.

Log4j Log expression:

Logger log = LogManager.getLogger(“ExampleClass”)

log.info(“Search term was {}”, “example”);

The above code will first instantiate a log using the LogManager function from Log4j. Then log.info will print the output “Search term was example” to the console when the application is run. It is the most standard way of logging in to java.

Log4j Architecture:

Applications using the Log4j 2 API will ask the LogManager for a Logger by name. The relevant LoggerContext will be found by the LogManager, which will then get the Logger from it. The LoggerConfig that has either the same name as the Logger, the name of a parent package or the root LoggerConfig will be linked to the Logger if it needs to be generated. Logger declarations in the configuration are used to construct LoggerConfig objects. The Appenders that actually send the LogEvents are connected to the LoggerConfig.

Log4j architecture by logging.apache.org

Log4j Exploitation:

In order to check for faults, Log4j will first log messages in the program. Because of its logging capabilities, it can interact with directory services and other internal system components which creates an opening for vulnerabilities. Log4j has been used to create a method for creating malicious code strings that can be executed. The main method of attack is to send messages to Log4j that tell it to download and run malicious software from a remote server, giving the attacker further control over the victim’s computer.

Log4Shell (CVE-2021–44228) was the active zero-day vulnerability in Log4j. log4Shell allows remote attackers to gain access to vulnerable targets. An attacker simply needs to make a straightforward malicious request with a formatted text, which the log4j library will then pick up, to carry out remote code execution.

This vulnerability was gone unnoticed since 2013 and it was later discovered by Chen Zhaojun of the Alibaba Cloud Security team and was disclosed publicly on 9 December 2021. Apache estimated CVE-2021–44228 to a CVSS score of 10, which indicates the most vulnerable vulnerability. This vulnerability affected hundreds of millions of devices as it was easy to execute by attackers.

This flaw was fixed by Apache in Log4j version 2.15. But Security experts claim that the vulnerability’s exploitation attempts have begun to affect servers that are still at risk.

Mitigation of Log4j Vulnerability:

The best way to prevent your organization from such attacks is to stay updated with the latest servers and install the patches as soon as it is released by the vendors.

A good mitigation strategy to stop attackers is to use outbound firewall rules on servers. If the server is able to perform DNS lookups, attackers will search for susceptible log4j2 instances, which will cause the DNS lookup.

To mitigate such risks in the future, organizations need to take steps to maintain a document of every component utilized in the IT environment along with a plan for how they can be upgraded or patched in the future.



Identifying top 1% Vulnerabilities in enterprise tech stack

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store