Log4j – CVE-2021-44228
On the 9th of December 2021 a critical remote code execution vulnerability affecting multiple versions of the Apache Log4j 2 library was publicly disclosed via GitHub. The vulnerability is also known by the name Log4Shell.
What is Log4j and why is it vulnerable?
Apache Log4j is a Java based logging utility and is widely used in many applications and services. Logging enables developers to see activity of an application and can help with a wide variety of tasks.
The vulnerability exists where an application takes untrusted user input and passes it to a vulnerable version of the library. The library processes this input and allows malicious code to be executed.
The application security consultants at IRM are already versed in how to test for this within web applications.
How does this vulnerability affect my organisation?
The first step in understanding the impact to your organisation is to identify which applications and services use the Log4j library.
Prioritising internet facing systems, a good starting place is to review asset management databases and network diagrams and methodically working through known assets. The Netherland’s National Cyber Security Centrum (NCSC) has collated a list of affected products which is being constantly updated.
https://github.com/NCSC-NL/log4shell/tree/main/software
Additionally searching filesystems for Log4j will help identify possible references and usage of the library.
IRM are here to support you if you need any help or advice with the Log4j vulnerability or would like assistance on how to find it within your on-premises IT systems or cloud services.
Mitigation
Where instances of Log4j have been identified, they should be upgraded to the latest version.
To mitigate the vulnerability for products where the vendor has not yet released an update,
- for releases greater than 2.1.0 set a system property “log4j2.formatMsgNoLookups” to “true”
- for releases less than 2.1.0 remove the JndiLookup class from the classpath.
IRM can work with your application support teams to plan change requests and estimate downtime to continue service with as little interruption as possible.
Please contact sales@irmsecurity.com for more information.