Discussing the Log4j Vulnerability

A security vulnerability was recently found in the Log4j library. This is a third-party library used for logging among other things in the Java programming language. This vulnerability can allow an attacker to execute arbitrary commands on a server running Apache or Tomcat. Developers are still unsure about the extent of this vulnerability, but it is recommended that you update your Log4j installation if you are running Apache or Tomcat. This blog post will discuss how to update your Log4j installation, what steps you can take to protect yourself, and what this bug means for developers using these libraries.

The Log4j vulnerability

 

Log4j is an open-source logging library for Java. The library was developed by Apache Software Foundation and is now the most popular logging tool for Java. A security vulnerability has been found in the implementation of Log4j, a popular logging framework. The flaw is related to the lack of authentication when creating loggers with the addLogger(), addAppender() and addPattern() methods. This vulnerability can be used to execute arbitrary code on a remote system, which leads to privilege escalation and data loss. The Log4j vulnerability is a high severity security flaw that can be exploited by an attacker to execute arbitrary commands.

Java developers use Log4j to generate logs of different levels, with different log messages. This is done through the use of configuration files, which are also open-source and can be downloaded from GitHub (https://github.com/apache/log4j2). The Log4j library is used by many applications, so it’s possible that you are currently running an application with the vulnerable Log4j library. It’s important to note that this vulnerability can allow an attacker to execute arbitrary commands on a server running Apache or Tomcat. However, developers are still unsure about the full extent of this vulnerability. Developers using this library are advised to update their Log4j installation as soon as possible to protect themselves from this vulnerability.

What is the Log4j Framework?

 

Log4j, which allows developers to create applications that store logging data in a central location, has been released as open-source software for nearly a decade. It is supported by dozens of volunteer developers and maintained by Apache’s Apache Software Foundation.

“When you set up your log4j-config.xml configuration, you specify what information you want to record and the kind of format you want to use,” said Schirra. “Everything that has to do with that goes through the framework.”

Who is vulnerable?

According to the Apache Software Foundation, the main victims are application developers and other software systems that use Log4j, such as log management products and websites and online games.

What are the consequences of the vulnerability?

 

The flaw allows remote attackers to run malicious code on servers running versions 4.1, 4.2 and 4.3 of Log4j 2.0, 4.1 and 4.2 of Log4j 1.1, 4.1 and 4.2 of Log4j 1.5 and 4.3 of Log4j 1.4.

In some cases, that code is written to interact with login or user accounts and silently execute malicious commands when a user or an administrator logs in. In other cases, it is written to alter other servers, such as web servers.

Equifax, the credit reporting company, suffered an intrusion in September. The company’s website and internal servers were accessed. One breach involves an intrusion-related software flaw that would have allowed attackers to bypass a security feature known as “user activity logging.

How do attackers hack it?

 

Hackers can potentially use Log4j to hijack other people’s computers and websites running the software. The vulnerability resides in the application programming interface Log4j uses to exchange data with other applications. The problems with Log4j arise from that interface. It’s a so-called DWARF interface, which means it supports a wide range of language compiler types. In addition, the methods Log4j uses to parse and store data can be used to manipulate it, without the knowledge of the developer who created the code.

How to update your Log4j installation

 

If you’re running Tomcat or Apache and using Log4j, it is important that you update your installation to the latest version. This will protect against this vulnerability.

Apache

To update Apache’s Log4j library, follow these steps:

1. Download the new .jar file from the Apache website here: https://www2.apache.org/dist/logging/.

2. After downloading the new .jar file, you need to copy it into a directory on your computer like: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\.

3. Now go to Start -> Run -> cmd and type “cd C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf” then hit enter then type “unzip log4j-1.2-beta9-with-dependencies.zip”.

4. Now open up Windows Explorer and go to C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf and delete all of the files except for log4j-1.2-beta9-with dependencies folder so that there are no other files in this

What steps you can take to protect yourself

 

The Open Web Application Security Project has rated the Log4j vulnerability a 10, with 10 being the most severe. At present, there are no patches available, although the Log4j development team has released patches for some versions of Log4j. This makes the vulnerability hard to exploit and attacks are only possible if you are a developer or manager.

What is the Web server software that is vulnerable?

Open Web Application Security Project says there are three versions of Web server software that are vulnerable to the attack: Apache, Tomcat, and Jetty.

No software vendor or Apache-specific group has officially identified a vulnerability in Apache that affects this release. However, Microsoft Corp. said in an advisory that it is the software that is vulnerable.

The Log4x library is vulnerable to a remote code execution vulnerability. To protect your server, you should take the following steps:

1. Check whether you are running Apache or Tomcat and update the Log4x library if needed.

2. Disable Apache’s default log directory located at “logs” in Linux and Solaris or “C:/Program Files/Apache2/logs” in Windows.

3. Disable sending an email when an error occurs by setting the JAVA_OPTS environment variable to “-Dorg.apache.catalina.LifecycleListener=OFF”.

4. Disable logging by setting the JAVA_OPTS environment variable to “-Djava.util.logging=WARN”.

What this bug means for developers using these libraries

 

This vulnerability opens the door for an attacker to execute arbitrary commands on a server. If you’re a developer and use Log4j with Apache or Tomcat, it’s important that you update your installation as soon as possible.

If you’re worried about how to protect yourself from this vulnerability, we recommend:

– Using your firewall to limit access to the vulnerable functions of Log4j

– Using your firewall and setting up a custom filter

– Installing bundle “security” in Log4j

Apache users

 

If you are using the Apache web server, update your Log4j installation to version 2.13.5 or later. Follow these steps to install the latest version of Log4j:

– Download the latest version of Log4j from the Apache website

– Extract the .zip file that you downloaded

– Change directories into the newly created directory

– Run ./bin/log4j

Tomcat users

 

Tomcat users are the most at-risk. The vulnerability occurs when Apache or Tomcat is used to handle requests. When a request is made by the attacker, they are able to execute arbitrary commands on the server. This vulnerability can be exploited by an attacker who has access to your network. If you have not implemented any security measures, this would allow for easy exploitation. Developers using Log4j should update their installation as soon as possible. This will prevent any unauthorized access to your server running Apache or Tomcat.

Conclusion

 

Vulnerabilities such as these are serious problems for all software users. In this case, it is critical that organizations maintain the updates of their Log4j, particularly as the vulnerability has been active since early July.

The Log4j vulnerability is a high-risk event for developers. Here are some steps you can take to protect yourself:

• Update your Log4j installation to the latest version (1.2.17). 
• Familiarize yourself with the vulnerability and how to update your Log4j installation. 
• Know that this bug means that you should monitor your traffic and logins.
• Know that this bug may affect other libraries that use Log4j, such as Apache and Tomcat.

Gartner advises business leaders to consider this type of risk a design risk since many software companies will release patches for their software that can address the issue. In addition, it is advised that organizations audit their environments and revise their development, testing and operational processes to make sure they don’t introduce loopholes for hackers to exploit.

By analyzing the evolution of vulnerabilities and applying a process-based approach to assess the risk, organizations can better manage the risk to their systems: Log4J remediation solutions