Log4j is a widely-used Java-based library developed by Apache Software Foundation that’s designed to enable developers log various levels of information (trace, debug, info, warn, error, and fatal) from their applications for troubleshooting and monitoring purposes. It has appenders that are responsible for determining where the log messages go, such as console, files, databases or remote servers. The configuration can be done using XML, JSON, or properties files, enabling flexible setup and customization for different environments and requirements. Log4j is designed to be highly efficient, with minimal impact on application performance, making it suitable for high-throughput environments.
Log4Shell (CVE-2021-44228)
This was a huge vulnerability that had a significant impact on many organizations worldwide, impacting Log4j versions 2.0-beta9 to 2.15.0 by allowing attackers to execute arbitrary code on a remote server (RCE) simply by crafting a malicious input string that gets logged by the application leading to full system compromise.
Log4j is a fundamental component in many legacy and modern systems, it’s pervasive use means that the vulnerability potential impact remain significant as many organizations continue to run legacy systems that may not have been fully patched or updated, keeping the risk of exploitation alive.
Technical Mitigations Log4Shell
- Upgrade Log4j: Ensure that all systems are running at least Log4j 2.16.0 or later, which includes fixes for Log4Shell.
- Remove JndiLookup Class: This can be a solution when upgrading is not immediately possible, remove ‘JndiLookup’ class from the classpath.
- Disable JNDI: Set the system property ‘log4j2.formatMsgNoLookups’ to ‘true’ to disable the vulnerable functionality.
