Log4Shell: The Log4j vulnerability explained
Log4Shell is a software vulnerability in Log4j, a Java-based logging utility. This security flaw allows cybercriminals to compromise systems by injecting malicious code, threatening millions of applications and devices across the globe. If you’re using Log4j, you should know what Log4Shell is and how to protect yourself.
Table of Contents
Table of Contents
What is Log4j?
Log4j, created by the Apache Software Foundation, is a widely used open-source Java-based logging framework. Part of the Apache Logging Services project, Log4j provides a way for Java applications to record and log messages and other information. By tracking application activities and sending diagnostic messages, Log4j helps IT administrators and developers monitor and debug software programs and online services.
Larger developer teams that build software programs often use pre-existing components instead of writing every piece of code from scratch. These components, known as software libraries, are the building blocks of modern software. By using these libraries, developers can quickly integrate functionalities without reinventing the wheel. Log4j is just that — a software library that records system and application activities.
How does Log4j work?
Log4j works by allowing developers to insert logging statements into their Java code. These statements record events as the application runs, capturing various types of information, such as errors, warnings, or system behavior. This way, Log4j helps developers monitor the application’s performance and troubleshoot issues.
For example, if you try to access a certain server with the wrong credentials and receive a 401 error message (indicating unauthorized access), the server records this event using Log4j. Log4j then processes these logging statements and directs the output to different destinations like a file, a console, or even a remote server, depending on its configuration. By reviewing the logs, system administrators can see that an unauthorized login attempt was made and investigate the situation.
What kind of damage can Log4Shell do?
Log4Shell, identified as CVE-2021-44228, is a software vulnerability that allows hackers to perform remote code execution by exploiting how Log4j handles certain log messages. If an attacker convinces the application to log a string containing malicious code, Log4j will fetch and execute this remote code from an external server, potentially giving the attacker control over the affected system.
At the time of discovery, Log4Shell was classified as a zero-day vulnerability, which implies that threat actors may have known about it before it was found. However, it’s still unclear whether hackers managed to exploit Log4Shell before cybersecurity experts made the discovery public.
The Log4Shell vulnerability can give hackers the ability to insert malicious code into a system. Once they gain access, they can steal sensitive data, such as personal information or financial details, which can lead to identity theft or financial loss.
Hackers can also spread malware, including ransomware, which can encrypt files and demand payment for their release, or deploy cryptojackers that secretly mine cryptocurrency using the system’s resources.
In severe cases, attackers can take full control of the target system or application. For example, critical infrastructure, financial institutions, or healthcare systems using Log4j could face severe operational disruptions and client data breaches if targeted by Log4Shell.
Examples of Log4Shell attacks
Hackers, including nation-state activity groups from China, Iran, North Korea, and Türkiye have been using Log4Shell in various malicious activities since its discovery on December 9, 2021. Log4Shell is particularly dangerous because it is easy to exploit and affects many systems that use Log4j. Once an attacker gains control, they can do anything from stealing data to installing malware or taking over the entire system.
For instance, the Khonsari ransomware strain capitalized on the Log4Shell vulnerability in December 2021, spreading through the popular video game Minecraft. Meanwhile, in January 2022, the NightSky ransomware targeted systems running VMware Horizon, exploiting the flaw to gain unauthorized access and encrypt files.
Hackers groups have also attempted to exploit the Log4Shell vulnerability in Windows and Linux systems, which may eventually increase the number of ransomware attacks on their users.
In the early days of the Log4Shell vulnerability, many attacks involved cryptojacking — the use of malware designed to secretly use a device’s resources to mine cryptocurrency without the owner’s knowledge or consent. Additionally, in December 2021, the notorious Mirai botnet exploited Log4Shell to take control of vulnerable devices, adding them to its network of compromised machines.
Access brokers also use Log4Shell to gain a foothold in high-value corporate networks. These attackers often deploy remote access trojans (RATs) on compromised systems, allowing them to maintain persistent access. They then sell these footholds to ransomware-as-a-service affiliates or other hackers on the dark web, enabling further malicious activities.
How common are software vulnerabilities?
In 2023 alone, the US government’s National Vulnerability Database (NVD) published over 30,000 new vulnerabilities and continues to identify an average of around 600 new vulnerabilities each week. This represents a 17% year-over-year increase in the number of vulnerabilities recorded since 2022.
Since the establishment of NVD, it has cataloged more than 259,000 software vulnerabilities as of 2024, with about half of those discovered in just the past five years.
How to protect yourself from Log4Shell
When trying to protect yourself from vulnerabilities like Log4Shell, you shouldn’t underestimate the importance of updating your software — it’s a crucial step in preventing many types of cyberattacks. Here’s what else you can do to fend off cybercriminals who use Log4Shell to their advantage:
- Update the Log4j library. Make sure you are using the latest version of the Log4j library, which includes patches that address the Log4Shell vulnerability.
- Disable JNDI lookup. Disable the Java Naming and Directory Interface (JNDI) lookup feature in Log4j, which is the core of the Log4Shell vulnerability.
- Change the Java system properties. Configure Java system properties to disable problematic functionalities in older versions of Log4j.
- Use vulnerability scanners. Use tools like the UpGuard Log4j Vulnerability Scanner or the Huntress Log4Shell Vulnerability Tester to detect if your systems are exposed to the Log4Shell vulnerability.
- Update firewalls and IPS. Make sure all firewalls and intrusion prevention systems (IPS) are up to date so they can recognize and block exploit attempts related to Log4Shell.
- Implement multi-factor authentication (MFA). Add an extra layer of security to your systems by implementing MFA. This means that even if attackers try to exploit the Log4Shell vulnerability to gain access, they will still need to pass additional authentication steps, such as entering a code sent to your phone, making it much harder for them to succeed.
- Send security questionnaires to vendors. Distribute the Apache Log4j Questionnaire to your vendors to confirm they have secured their systems against Log4Shell.
- Regularly monitor and audit systems. Continuously monitor your systems for any suspicious activity and conduct regular security audits to ensure all defenses are in place.
It’s also important to pay close attention to any suspicious activity on your network so you can effectively mitigate any cybersecurity threat.
Want to read more like this?
Get the latest news and tips from NordVPN.