Log4j zero-day vulnerability: What it is and how it impacts users, all explained in 5 points

A newfound security risk has caused an upheaval in the world of cybersecurity. The risk generates from a vulnerability in Log4j, a widely used Java-based logging library developed by the Apache Software Foundation. Since many services like Apple iCloud, popular gaming service Steam and online game Minecraft use Log4j, the vulnerability is being considered as one of the most dangerous ones found in recent years.

What's more concerning with the security risk is that it has been found to be actively exploited in the wild, hence the zero-day status. A zero-day exploit means that hackers are actively targeting the vulnerability, while a fix has not reached all the at-risk systems yet.

Adding to these concerns is a proof-of-concept exploit that has been shared online since the vulnerability has been made public. The concept shows that everyone employing Log4j is potentially a target for attacks that can trigger remote code execution (RCE). So in order to be safe against such attacks through the vulnerability, it is important to get into the detail of the newfound security risk. Here is what we know about it so far.

- The security risk with Log4j has been termed as CVE-2021-44228 or Log4Shell or LogJam. It has been ranked among the most severe security risks on the internet as of now, as it affects all versions of Log4j. This includes Log4j version 2.0-beta-9 to version 2.14.1. This simply leaves a vast number of services exposed to the vulnerability, since there are a whole lot of systems using Log4j.

As mentioned by Sean Gallagher, senior threat researcher at Sophos, "Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization’s infrastructure, for example, any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security."

- As mentioned in a blog on Apache Logging Services, the vulnerability was discovered by Chen Zhaojun of the Alibaba Cloud Security Team. As per the Common Vulnerability Scoring System or CVSS, Apache team ranked the vulnerability as 10. This means that the Log4Shell has been rated as a "Critical" vulnerability.

The blog states that such security risks "could potentially be exploited by a remote attacker." The attacker can get Log4j to execute arbitrary code on a system. Such vulnerabilities can even be exploited automatically by worms.

- In a demonstration on a local computer, the security team at Sophos shows how easily the security loophole in Log4j can be used for remote code execution. An attacker who knows the right data format to use, can use the Log4j vulnerability to simply pass a Java program to your server that implants malware on it.

The report by Sophos mentions this as an "uncomplicated, reliable, by-design remote code execution (RCE)," which is triggered by nothing other than the user-supplied data. Ironically, this data may be getting logged for auditing or security purposes.

- Log4Shell exploits LDAP or Lightweight Directory Access Protocol. This is a software protocol that lets anyone to locate data about resources such as files and devices within a network. This network could be on the Internet or on a corporate Intranet.

Apache states that the Network Device Interface or NDI features used in "configuration, log messages, and parameters" do not protect against attackers in this case. "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers," it explains. This is possible when message lookup substitution is enabled.

The issue has notably been fixed with Log4j 2.15.0, the latest version of the Log4j library, as log4j 2.15.0 comes with message lookup substitution disabled by default. It is thus suggested for all IT teams to find all codes in their network which are written in Java and check whether they use the Log4j library. Out-of-date Log4j versions should be updated as soon as possible.

- Sophos has noted numerous attacks attempting to exploit the Log4j vulnerability. In numbers, the cybersecurity firm mentions that "hundreds of thousands" of such attempts have been detected so far.

Attackers seem to carry out these attacks for various, nefarious purposes. Some attempt to install Cryptomining botnets on systems, while others try to extract information from services, including Amazon Web Services. Sophos mentions that these attacks are only expected to grow in the coming days and weeks.