Dynatrace : What is Log4Shell? The Log4Shell vulnerability explained (and what to do about it)

Since December 10, days after a critical vulnerability known as Log4Shell was discovered in servers supporting the game Minecraft, millions of exploit attempts have been made of the Log4j 2 Java library, according to one team tracking the impact, with potential threat to millions more applications and devices across the globe.

In this article, we'll answer some of the most frequently asked questions about the Log4Shell vulnerability, and continue to add on as new questions come up.

What is Log4Shell?

Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet, if the device is running certain versions of Log4j 2.

Apache issued a patch for CVE-2021-44228, version 2.15, on December 6. However, this patch left part of the vulnerability unfixed, resulting in CVE-2021-45046 and another patch, version 2.16, released on December 13.

Attackers can exploit the vulnerability using text messages to control a computer remotely.
The Apache Software Foundation, which publishes the Log4j 2 library, gave the vulnerability a CVSS score of 10 out of 10, the highest-level severity score, because of its potential for widespread exploitation and the ease with which malicious attackers can exploit it. While mitigation evolves and the damage unfolds, the fundamentals of the Log4Shell vulnerability won't change.

When was the vulnerability in the Log4j 2 library discovered?

The vulnerability was first reported to the Apache Foundation (an open-source project) on November 24 by security researcher Chen Zhaojun of Alibaba, China's largest e-commerce company, after an attack was documented on December 9 and affected servers of the game Minecraft. Further forensic analysis revealed that cybercriminals discovered the gap earlier, and it has been exploited since at least December 1.

What's the risk from the Log4Shell vulnerability in the Log4j 2 library?

Log4Shell is considered a zero-day vulnerability because malicious actors likely knew about and exploited it before experts did.

What makes Log4Shell so dangerous is how ubiquitous the Log4j 2 library is. It's present in major platforms from Amazon Web Services to VMware, and services large and small. The web of dependencies among affected platforms and services means patching can be a complex and possibly time-consuming process.

The ease of exploiting the vulnerability compounds its impact. The Log4j 2 library controls how strings are logged. The vulnerability enables an attacker to gain control over a string and trick the application into requesting and executing malicious code under the attacker's control. Simply put, attackers can remotely take over any internet-connected device that uses certain versions of the Log4j library anywhere in the software stack.

What is Log4j 2, and what does it do?

As the most widely used logging framework on the internet, Apache Log4j 2 is integrated into myriad applications, used on major cloud services such as Apple, Google, Microsoft and Cloudflare, as well as platforms like Twitter and Stream.

It logs messages from software, and searches for errors afterwards. The amount of recordable data is broad, and ranges from basic user browser and web page information to detailed technical information about the system Log4j 2 is running on.

Not only can the Log4j 2 library create simple logs, it can also execute commands to generate advanced logging information. In doing so, it can also communicate with other sources, such as internal directory services.

How does the vulnerability Log4Shell cause damage?

Because the Log4j 2 library can communicate with other sources and internal directory services, attackers can easily feed Log4j 2 with malicious commands from the outside and make it download and execute dangerous code from malicious sources.

How Log4j 2 can be exploited depends on the specifics of the affected system. So far, the vast majority of malicious activity has been mass scanning to fingerprint vulnerable systems. Attackers have been exploiting the vulnerability to compromise virtualization infrastructure, install and execute ransomware, steal system credentials, take broad control of compromised networks, and exfiltrate data, according to a Microsoft report.

As reports continue to mount regarding the exploitability of Log4Shell, the possibilities for malicious activity seem exponential. Any code can be executed on the attacked system, for example, to access sensitive configuration data. In capturing this data, attackers could gain full control of a system - and all its data and applications. This is comparable to a burglar who has keys to the front door of a home and the combination to a safe inside.

How does Log4Shell affect consumers?

The Log4j 2 library is often used in many applications in the infrastructure environment of companies and organizations. In the consumer sector, Log4j 2 can also be found in network-enabled storage and smart home equipment, which users should disconnect from the Internet until updates are available.

Most reputable companies have placed a corresponding security message on their websites describing what they are doing about the Log4Shell vulnerability.

Consumers should install software updates provided by the vendors they use. They should also try to find out from the sites and services that have their personal data whether the organization is affected by the Log4Shell vulnerability and if so, what measures those organizations are taking to safeguard their information.

What should IT security teams do about the Log4Shell vulnerability?

Organizations that use Log4j 2 in their own applications and infrastructure should update them immediately. The same applies to third-party applications. The version 2.16.0 release fully secures the library against the Log4Shell vulnerability.

Because there are so many systems likely affected by Log4Shell and it's so easy to exploit, organizations must act swiftly to protect their interests and users. To quickly identify affected systems, organizations need a solution like Dynatrace Application Security that can immediately and automatically identify vulnerable systems and their dependencies, and help you prioritize the most critical systems to update first, especially on code running in production.

As Log4Shell continues to threaten companies' applications and sensitive data, Dynatrace Application Security enables organizations to gain real-time insight into which assets are affected by the vulnerability and which are highest priority, while also monitoring the whole multicloud environment. As a result, you can maintain real-time awareness of malicious activity in your environment as you work to address the impact of the Log4Shell vulnerability.

To learn more about how the Log4Shell vulnerability works and how to mitigate it, check out the following resources:

• Log4Shell vulnerability: Identifying and minimizing production risk

Also, check back on this FAQ blog for frequent updates.