• Matthew Spencer - Tech Journalist

Three Log4j vulnerabilities revealed by Apache: Easiest data collection module exploitation

Recently three critical security vulnerabilities were found with CVE-2021-45105, CVE-2021-44228 and CVE-2021-45046 by Apache. In some non-default configurations, the Log4j 2.15.0 vulnerabilities shook the data world with standard patterns for loopholes.

The Apache Software Foundation (A.S.F.) revealed the third-party bug. Java-based Log4j session handling 2.0-alpha1 to 2.17 in Log4j. Honeypots containing JPCET/CCs have been observing many attack patterns. It targets the remote code execution process in Apache Log4j (CVE-2021-44228). It is a logging library used commonly in java-based systems.

Like the air we breathe and the water we drink, the log system is as standard as that. It is essential to log warnings, vulnerability, customer data in a shared plan for administrators to maintain and debug. Using the web-based template for Log4j in java-based systems is pretty straightforward, but the recently found vulnerability exposed weak patterns.

${jndi:<protocol>://<url>} is the attack payload discovered by Apache webserver experts. The basic attack patterns include sending a set of data inducing stings. It is sent to systems running the vulnerable Log4j2 setup. The JNDI lookup function lets Log4j access the URL with payload in the second step. If that were the end, we would have no issue as many attackers' target different points for attack. But the pointer gained an additional step by downloading the serialised Java code. The attacker can later use the code to do whatever he wishes.

Log4j is used in java-based programs and ported by C, C++, Ruby, Python, and C# developers. The log element allows to log code statements in a low-tech debugging method. Almost every large and medium applicant has their logging or tracing API. These APIs in modern times became Log4j, a viral logging method for Java. The Apache Software License allowed the package to become fully open-source, and the source is there for anyone to explore.

In the CLASSPATH, we add Log4j-version.jar and a manual to go with it. The package can directly import Log4j from org. Apache.log4j.Logger; and manually tweak to extract whatever data we need from it.

The 2.15.0 version was created to fix the CVE-2021-44228 (latest Log4j), but a remote code execution flaw was still present. If you're running a web server containing the Log4j logging process, chances are your data is vulnerable, and it's high time to take action.

Cybersecurity & Infrastructure Security Agency (CISA) published several reports centring Log4j vulnerability and way around for not falling victim to the exploit.

Suspected information is a security threat and vulnerability that can make agencies victims. CISA issued 'an emergency directive to the head of an agency to take any lawful action concerning the operation of the information systems.' It also includes a system used by another entity, collecting and processing information, transmitting or disseminating function under the information security threat 44 U.S.C § 3553 (h) (1)-(2). Homeland Security Act of 2002, Section 2205(3) amended against this type of threat.

Initially written by Ceki Gülcü as part of the Apache Logging Services is one of the most renowned projects by the Apace Software Foundation. Though it's a small part of the Java logging framework, the efficiency and ease of using the functionality of Log4j made it popular among coders worldwide.

Log4Shell (CVE-2021-44228) is now known as a zero-day vulnerability involving arbitrary code execution according to Log4Shell: R.C.E. 0-day exploit.

Apache Software Foundation described the matter with the following statement 'Apache Log4j versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.'

The logging process is crucial for developers as clients want the most efficient method of storing data without losing every storage for the simple task. The logging process by Apache is by far one of the simplest things to achieve, and the vulnerability discovered was an eye-opener. The latest version, 2.17.0 of Log4j, is known to fix the vulnerabilities, and you can easily find them on the Apache logging.