Apache Log4j vulnerability highlighted by security researchers last Friday: Experts say it could lead to sensitive data leakage.
Many IT companies have begun patching the Log4j vulnerability or Log4Shell, a security breach may allow sensitive data to be exfiltrated and result in applications being unavailable.
What is Apache Log4j
The Apache Log4j logging software is written in Java. It is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of several Java logging frameworks.
Apache Log4j Security Vulnerabilities
All the security vulnerabilities fixed in released versions of Apache Log4j 2. Each vulnerability is given a security impact rating by the Apache Logging security team. please note that this rating may vary from platform to platform. We also list the versions of Apache Log4j the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Apache Log4j 2
Apache Log4j 2 is the successor of Log4j 1 which was released as GA version in July 2014. The framework was rewritten from scratch and has been inspired by existing logging solutions, including Log4j 1 and java.util.logging.
Apache Log4j 2 Security Vulnerability
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
Important: Security Vulnerability CVE-2021-45046
The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, that has been addressed in Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up.
Summary: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default.
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
Java 8 (or later) users should upgrade to release 2.16.0.
Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
The main differences from Log4j 1 are:
- Improved reliability. Messages are not lost while reconfiguring the framework like in Log4j 1 or Logback
- Extensibility: Log4j 2 supports a plugin system to let users define and configure custom components
- Simplified configuration syntax
- Support for xml, json, yaml and properties configurations
- Improved filters
- Property lookup support for values defined in the configuration file, system properties, environment variables, the
- ThreadContext Map, and data present in the event
- Support for multiple APIs: Log4j 2 can be used with applications using the Log4j 2, Log4j 1.2, SLF4J, Commons Logging and java.util.logging (JUL) APIs.
- Custom log levels
- Java 8-style lambda support for “lazy logging”
- Markers
- Support for user-defined Message objects
- “Garbage-free or low garbage” in common configurations
- Improved speed
One of the most recognized features of Log4j 2 is the performance of the “Asynchronous Loggers”. Log4j 2 makes use of the LMAX Disruptor. The library reduces the need for kernel locking and increases the logging performance by a factor of 12. For example, in the same environment Log4j 2 can write more than 18,000,000 messages per second, whereas other frameworks like Logback and Log4j 1 just write < 2,000,000 messages per second.
Microsoft’s unified threat intelligence team, comprising the Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, RiskIQ, and the Microsoft Detection and Response Team (DART), among others, have been tracking threats taking advantage of CVE-2021-44228, a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”.
The vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.
The bulk of cyber attacks that Microsoft has observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.
