New Log4J cybersecurity vulnerabilities identified

Learn about the what, why, and how of new Log4J vulnerability.

Take these steps to protect your business and prevent future cyber attacks.

Steps to protect your business

  • The new Log4J vulnerability (formally CVE-2021-4422) was disclosed on 9 December 2021.
  • The vulnerability affects many websites and can be exploited using remote code execution.
  • You can take steps to mitigate the risk by upgrading or several other options.

What is Log4J?

Log4J (Log for Java) is a Java framework distributed from Apache that facilitates logging service requests, such as distributing log information to various destinations. These destinations could be database servers, other Syslog resources, or text files. In short, Log4J is a website that manages and logs online user activity.

Log4J is used by enterprise software and by a wide number of consumer products that are web applications—such as banking sites or sites running on Amazon Web Services (AWS).

How are cyber attackers exploiting this new Log4J vulnerability?

Attackers are using Remote Code Execution (RCE) to exploit this new vulnerability.

RCE is a common exploit where an unauthenticated attacker can send specially crafted requests to a remote server. These requests manipulate the remote server’s functionality and provide access to the remote attacker.

Here’s how an RCE attack works against Log4J software.

  1. The cyber attacker enters a malicious string of code or a URL which is entered into the logging server and then passed to the log store.
  2. The log server inserts the malicious string of code into a query which makes a call request to the malicious URL.
  3. The requester (you) receives a response from the malicious server which contains malicious java code which will be downloaded and executed.
  4. With this code, an attacker may plant a Remote Access Trojan (RAT) on the Log4J server or use other means to have the infected server connect back to the attacker’s machine.

What does this mean for your business?

The new Log4J vulnerability only affects you when one of your assets is directly engaging the vulnerable software. This can happen with a business asset or one that you used with a third-party service for either personal or business reasons.

For example, if you made a purchase from an online store that uses Log4J, the device that accessed that site could be breached by an RCE attack. Even if this was a personal device, it could in turn affect your business security.

The consequences of an attack can be devastating. The cyber attacker could take full control of your system and do whatever they want; this could include encrypting your system, stealing your data, or impersonating legitimate users to attack other people on your system.

As of December 10th, companies such as Tenable have released a shortlist of services provided known to be vulnerable to the Log4J vulnerability. This list includes notable sites like Amazon, Apple iCloud, Minecraft, and Tesla.

The Kronos ransomware attack is an example of how malicious actors exploit this new vulnerability. Threat actors exploited the services that rely on Log4J services, allowing them to plant malicious software on the systems to encrypt files which led to a ransomware attack.

What can you do to mitigate the risk?

Ever since the vulnerability was discovered, various companies (such as Apache) have been focused on releasing patches and upgrades to mitigate the vulnerability. Log4j version 2.15.0 has been released by Apache which would require users to upgrade their Java version from version 7 to 8.

However, if upgrading is not immediately possible, three mitigation options are also available. These options do require some technical knowledge of the environment.

  • Option 1 (Applicable to Log4j 2.10 or greater)
    • Requires an administrator to go into the configuration and set the formatMsgNoLookups or Dlog4.formatMsgNoLookups to True;
  • Option 2 (Applicable to Log4j version 2.7 or greater)
    • Requires an administrator to adjust the Pattern Layout configuration to use %m{nolookups}; and
  • Option3 (Applicable to all Log4j 2 versions)
    • Requires an administrator to remove the JdniLookup and JdniManager classes from log4j-core.jar.

Next steps

There is still so much to learn about the Log4J vulnerability, and new information will continue to surface in days to come. The best advice we can offer our clients and partners is to follow the recommended guidelines and mitigation plans as closely as possible.

To stay up to date on new Log4J developments and other cybersecurity trends, consider contacting one of CAI’s cybersecurity experts who can answer any questions and start a cybersecurity assessment for your organization.

Let's talk!

Interested in learning more? We'd love to connect and discuss the impact CAI could have on your organization.

All fields marked with * are required.

Please correct all errors below.
Please agree to our terms and conditions to continue.

For information about our collection and use of your personal information, our privacy and security practices and your data protection rights, please see our privacy policy and corresponding cookie policy.