Services
This post is a quick summary around the Log4J security issues happening in December 2021. It includes a summary, a video, a PDF of slides we presented and extensive references.
The TL;DR is: update Log4J to 2.16.0 and keep watching for subsequent updates.
Log4J is a widely used Java library.
It has a problem where if it is asked to process a malicious string, it will allow an attacker to run their own code on a targeted server. This can happen in both authenticated (where we know the user) and unauthenticated (anonymous) cases depending on the application.
This issue is being actively probed and attacked.
The simplest fix is to patch. I expect further developments, so I recommend watching for additional updates.
Log4J is a logging library that is used in a wide array of applications. I probably used it in over half of the projects I’ve worked on in my career.
It is very normal for a developer to want to log something that a user enters. For example:
String user = getCurrentUser();
String document = request.getParameter("Document");
Logger logger = LogManager.getLogger(Thing.class.getName());
logger.debug("User {} requested document: {}", user, document);That log statement where the user and document get put into a log statement is where the problem occurs. One clear problem is that these statements are basically everywhere in code and it would be nearly impossible to audit all of them.
The fix is basically to use a version of Log4J that doesn’t do the magic on the malicious string by default. Alternatives are to tell an older version you don’t want that feature. Or in extreme cases to rip the offending class right out of the log4j library.
There are a variety of ways to scan for the issue, and to identify log4j libary versions locally. Even a simple approach of looking at dependencies could help.
The vulnerability was disclosed to the Apache Log4J security team 11/24.
It was released to the public 12/10.
Patches 2.15.0 and 2.16.0 have been release since then.
I would look in log files from November forward for malicious activity as soon as possible.
I put together this 17 minute video overview that covers:
If you want to read and navigate yourself, the slides are here.
We looked at a lot of sources as we navigated this issue. Here are some that we thought were helpful:
