Log4j Vulnerability, how to stay safe?
As the number of cybersecurity attacks is increasing at every moment, we have to be aware of the new vulnerabilities that can affect us. On November 24, 2021, a zero-day vulnerability was discovered by Alibaba’s Cloud security team. This vulnerability can be find by the name Log4J or Log4Shell or CVE-2021-44228. It is considered one of the most critical vulnerabilities discovered recently who has impacted many industries.
What is Log4J?
Log4J is an Apache logging utility used in enterprise Java software and according to the UK’s NCSC is included in Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift. The vulnerable versions are Apache Log4J 2 between versions 2.0-beta9 and 2.14. 1 and Java 8.181.
What are the risks?
This vulnerability affects all the devices which are using Log4J and are exposed to the internet.
The Log4J library is used for logging error messages in applications. Developers use this library for keeping track of their software applications.
How it works?
Attackers can use this vulnerability which allows unauthenticated remote code execution.
In the first step, it is verified if the application uses the vulnerable version of Apache Log4J. In the second step, the adversary can change the user-agent in their browser to a string that will remain in the victim web server’s logs. This string can be used to pass encoded commands to the vulnerable machine.
How to patch this vulnerability?
As this vulnerability, it is so easy to exploit there has to be repaired as soon as possible. “Prioritize patching, starting with mission-critical systems, internet-facing systems, and networked servers.
Then prioritize patching other affected information technology and operational technology assets” – CISA
We recommend you change the Java version and also the version of Log4J. An upgrade to the superior versions will help you to stay safe.
To secure your applications we will recommend you the following steps:
1. Update the Java SDK version to the latest or at least to one of the following versions: 18.104.22.168, 22.214.171.124, or 126.96.36.199.
2. Make sure that <WAS_HOME>/systemApps/isclite.ear/kc.war/WEB-INF/lib/log4j*.jar it is removed from any system running.
*after removing the files that contain the syntax mentioned previously, make sure you restart the application.
3. Change the Java virtual machine custom property log4j2.formatMsgNoLookups to the value true by adding the string -Dlog4j2.formatMsgNoLookups=True.
*after you change the custom JVM property restart the application.
4. And also check if “kc.war” was installed, if it was, from the Admin Console you can manually make the uninstall.
For further technical assistance and risk management do not hesitate to contact Cyber Threat Defense.