January 6, 2022

What is Log4j and why is it so important?

Log4j hit the news in December as one of the most important cyber security vulnerabilities identified in 2021. With new updates being released on a daily basis, we have summarised the key points that you need to know about this incident so far, the possible threats to your business, and practical next steps you should take.

What is Log4j?

Log4j is a library used by Java developers to enable logging within the applications they create. Its use is widespread with virtually every Java application using it in one way or another. The vulnerability identified in December 2021 was found in Log4j library version 2.0 beta 9, with exploitation attempts being recorded by Cloudflare as early as December 1st.

The vulnerable section of the library was the Java Naming and Directory Interface (JNDILookup) plugin which allows a developer to enrich data that is being logged by the application. The JNDILookup API enables the application to look up objects and retrieve data from various protocols such as DNS, RMI, LDAP/S and its poor handling of the data being logged is the cause of the issues.

Why is the Log4j vulnerability a threat?

One of the biggest issues we face with this vulnerability is the widespread use of Log4j, and attempting to identify all potential instances is virtually impossible without support from software vendors or the availability of source code. Successful exploitation of the vulnerability can lead to potentially disastrous results, with one of the biggest risks to businesses being that threat actors could remotely deploy malware, potentially leading to a data breach or ransomware attack.

This vulnerability is caused by poor validation of user input, as the Log4j library does not check, and blindly trusts, whatever data is passed to it when attempting to write logs. This is devastating, as any data supplied by a user that is processed by the vulnerable section of code can be used to exploit the vulnerability. There have also been reports of botnets attempting to exploit webpages at random by sending exploit strings in different request headers. Although it’s not just webpages and applications at risk, but servers and other key infrastructure components such as firewalls and web proxies.

How can you protect your business?

Patches are available for the vulnerable library and most vendors have released updated versions of software to mitigate this vulnerability. It is critical that any instances of the vulnerable libraries within your business are found and patched immediately. It is also highly recommended that firewall rules on all application servers are reviewed to ensure they only allow communication to destinations outside your network where necessary.

Given the widespread impact of this vulnerability, if you have confirmed, or even suspect, that you’ve been affected, then taking steps to detect abnormal activity on your network and hosts is of the utmost importance. Some things to look out for might be:

CPU spikes in relation to attackers deploying cryptocurrency miners.

Unauthorised configuration changes. If you do not have an existing plan, or if you are not actively updating a configuration management document, then it can be extremely difficult to spot unauthorised changes.

Unexpected network connections or communication within your business.

Exfiltration of large volumes of data. Once again, abnormal behaviour detection techniques may help here, and it is generally easy to spot. Once normal behaviour patterns are established it would be noticeable to detect huge chunks of data being transmitted.

How can the Secure Impact team help?

If you are concerned that your company systems could be affected by Log4j, please contact the Secure Impact team. We can assess and mitigate any threats to ensure that you are not at risk of an incident or breach.