A newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j is easy to exploit and enables attackers to gain full control of affected servers. We spoke to Erka Koivunen, CISO at F-Secure, to see how people can protect themselves.
What is the Log4j vulnerability?
It is a vulnerability in the widely used Log4j tool. This is used by many software vendors and service providers globally as a standardised way of creating log files within the software.
The vulnerability allows an attacker to cause the target system to fetch and execute code from a remote location controlled by the attacker. The second stage – what the downloaded malicious code does next – is fully up to the attacker. The vulnerability can also be exploited to exfiltrate certain information such as environmental variables from the target system.
The original intention of the Log4j tool was to dutifully watch the event flow and write down log files. That should have been the end of the story. It should not meddle with the data, trigger any actions or download remotely connectable shells that would give a remote attacker a command line to the server. But in 2013, someone decided that the tool should be augmented.
What devices and applications are at risk?
It is probably easier to find an app that doesn’t use the Log4j tool than find one that does. This omnipresence means attackers can search for vulnerabilities almost anywhere. End-users have no way to tell if an app or a service they use is using Log4j somewhere, as part of the data flow and execution chain. The effects may manifest deep in the service provider’s infrastructure in ways that are not always apparent nor easy to predict.
Everybody around the world using the software immediately became affected by this malicious code when the cat was let out of the bag last week, and how to exploit this vulnerability became public knowledge. All internet-facing services and all those collecting telemetry became affected, but the activation of this vulnerability doesn’t happen on the front-end services you interact with. The poison goes down the plumbing deep inside the Service Provider’s backend where it starts to detonate and infect.
It is worth noting that there is not a single valid use-case for the vulnerable lookup function that the attackers are now salivating on. It is like an appendix in a human (or an animal) body; we all have one but would actually be better off without.
How can you protect yourself from it?
The strange thing about the vulnerability is that it’s hard to find, but easy to fix.
F-Secure has created a deployable security patch for this vulnerability for F-Secure products, but for SaaS components it is the service provider whose job it is to fix and deploy the patch. However, some users may have set the system so that they apply the patches manually. But there are a huge number of other items to be concerned about.
An up-to-date and complete SBOM (for software companies) and CMDB (for IT management) would go a long way in identifying which systems to focus attention on. It is notoriously difficult to find out how various functionalities in software have been implemented.
Logfiles may help in detecting an attack. A successful and carefully executed exploitation of the vulnerability may be remarkably nondescript. So, it is recommended to a) Look for signs of IoCs available in public, but also focus on b) missing logs (are there unexplained gaps in a timeline) or c) entries that stand out as unusual. C will be the hardest to notice unless you already have a solid habit of analysing the logs and know what normal looks like.
Organisations must take the following steps to help protect themselves from the vulnerability:
- Restrict outbound network access from affected systems where the Log4j component is present or limit it to trusted sites. If your system cannot connect to the Internet to fetch the malicious code, the attack will fail.
- Disable the vulnerable lookup functionality.
- Check regularly with vendors to see if there is information on patches and other mitigations related to vulnerabilities.
- Check your systems daily for updates and apply any available as soon as possible.
- Subscribe to reputable Security Bulletins.
