Log4Shell: The Log4j Vulnerability Explained

Most computer users have never heard of Log4j, and that’s the way the developers intended it to be. It’s an obscure but nearly ubiquitous piece of software that can be found in millions of computers, both desktops and servers alike, that have any kind of Java programming installed on them. This piece of software records all manner of activities that go on under the hood in a wide range of computer systems, from web servers and databases to traffic lights and self-driving cars. A relatively recently discovered Log4j vulnerability that you probably never heard of could be putting you at risk.

A recently discovered vulnerability in Log4j has left millions of computers vulnerable to cyberattacks — yes, millions of computers! In fact, a leading cybersecurity firm Akamai Technologies Inc. has tracked 10 million attempts to exploit the Log4j vulnerability per hour in the U.S alone. And that’s not enough to make you break out in a cold sweat, experts have also revealed that globally 3 billion devices that use Java across a variety of consumer and enterprise services, websites and applications, as well as medical devices and supporting systems are affected and vulnerable to the Log4j security vulnerabilities.

Do you know how to protect yourself against this vulnerability? Continue reading as we share more information on Log4j vulnerabilities and what steps you can take to protect yourself.

What is log4j and how does it pose security risks?

Log4j is an open source logging utility for Java that allows developers to write log statements within their application and control its logging levels. While there are several other logging frameworks available, Log4j is popular because it is simple and easy to use.

Log4j is a widely used logging framework. It’s implemented in Java and utilized by many applications to produce logs that are sent to central log servers for monitoring. Logging is an important process that can help developers understand how applications are performing and identify unexpected behavior so they can be fixed before release. However, what if you couldn’t control what logged? That’s precisely what happened with log4j. A few vulnerabilities were discovered that could allow anyone to add code into your system’s logs. This code could do anything from stealing information about your system or user credentials to turning your computer into part of a botnet.

A new version of Log4j was released in March 2017, but researchers have discovered serious security flaws that affect all earlier versions of Log4j. The problem is not with Log4j itself, but rather with one of its dependencies: Apache Commons Collections (ACC).

The researcher who found this vulnerability says: Logging systems such as log4j rely on third-party libraries such as commons-collections (aka apache commons collections) to sort objects. These sorting routines contain an implementation of quicksort which can be exploited by malicious users to perform a denial-of-service attack against applications using these libraries. What does that mean? It means hackers can exploit Log4j’s dependence on ACC by flooding it with data so that your computer runs out of memory and crashes. This can happen even if you’re just trying to read something from your browser or listen to music!

What is Log4Shell Vulnerability?

Log4j vulnerabilities encapsulates various vulnerabilities including the Log4shell. Log4Shell is one of the most exploited software vulnerabilities in Apache Log4j 2. Log4Shell is a security vulnerability that can allow malicious actors to perform remote code execution attacks. Although it only affects computers running Java 7 and earlier, there are a massive number of systems affected by Log4Shell. According to ZDNet, an estimated 8 million Web servers use Log4j and so do nearly half of all Fortune 500 companies.

What makes Log4Shell so dangerous is its versatility; it can be exploited for multiple purposes, including data theft and crypto-currency mining. For example, hackers could potentially use Log4Shell to obtain information such as usernames and passwords. However, more frighteningly, they could also run programs on targeted machines without user permission or knowledge—something known as remote code execution. This means that hackers could potentially download malware onto your computer without you ever knowing about it!

In Dec 2021, Apache issued a security patch for CVE-2021-44228, version 2.15. However, this patch left part of the vulnerability unfixed, resulting in CVE-2021-45046 and a second patch, version 2.16, released on December 13. Apache released a third patch, version 2.17, on December 17 to fix another related vulnerability, CVE-2021-45105. They released a fourth patch, 2.17.1, on December 28 to address another vulnerability, CVE-2021-44832 that received a CVSS score of 10 out of 10 that is the highest-level severity score.

Since the initial discovery of the Log4j vulnerability, the number of vulnerabilities has increased and till today many of the vulnerabilities still remain unpatched. Experts report that over 30% of log4j instances are still vulnerable to malicious cyber attacks.

As long as your computer has Log4j installed, it’s vulnerable. And unfortunately, according to some estimates, more than half of all computers do have Log4j installed. So what should you do? Ensure to follow the below tips to protect yourself from log4j vulnerabilities.

1- Get rid of log4j

The first step to protect yourself against a log4j exploit is to ensure that it’s not installed. If it is, remove it immediately. Unless your system requires application logs, there’s no reason why Log4j should be used. Your operating system comes with its own logging capabilities; use them! In many cases, they’re more than sufficient for basic debugging purposes.

If your software does require custom logging capabilities, consider using a third-party library such as Apache Commons Logging or SLF4J (Simple Logging Facade for Java). Both of these libraries are widely supported and well-documented. They also provide additional benefits such as internationalization and automatic resource management.

2- Keep your system and apps updated

Upgrade to a newer version of Log4j immediately—if you haven’t already done so—and remove any older versions from your system. Then update any external libraries that might depend on Log4j and ensure they are updated too.

There are a number of steps you can take to protect yourself against Log4j vulnerabilities. The easiest and most obvious solution is to make sure that your device and apps are updated with all available updates and patches from the developers. You should also scan for viruses, spyware, malware, trojans and other malicious programs that might be installed on your computer. Running an antivirus or anti-malware program regularly should keep your system free of any infection or compromise.

Conclusion

Protecting yourself from Log4Sj threats is not very difficult. All that you need to do is update your software. You can also install firewalls, antivirus programs and other software designed to protect your computer system against these types of attacks. Additionally practicing best digital security practices will not only help you ward off log4j threats but also other types of malicious cybersecurity threats. Therefore, be sure to always try to gain essential cybersecurity education and training, so you can spot and mitigate various digital threats.

Scroll to top