What is Log4j?
Log4j is a Java logging utility which is a project of the Apache Software Foundation.
Where is Log4j used?
Log4j is very ubiquitous within the Java ecosystem. If you are running Java based application, chances are your app will be utilising Log4j at some level.
What is the flaw?
Recently, a researcher from the Alibaba Cloud Security Team discovered a remote code execution (RCE) vulnerability in the popular Java logging framework Log4j.
The vulnerability is exploited by leveraging a Log4j feature called “Message Lookup Substitution” which enables hacker to fetch an external java code to be executed.
Is it that bad?
Log4j flaw is very serious. It is rated 10/10 on the CVSS score. This flaw can allow attackers total control of your server and steal your confidential data.
Am I affected by the Log4j flaw?
Anyone running Java applications that includes the vulnerable Log4j library. In some instances, even if your own application code does not include log4j, but the app may be running on servers that does include log4j.
On Github, a list of companies impacted included Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn, etc.
According to LunaSec, many services are vulnerable to the Log4Shell exploit, including gaming service Steam, Apple’s iCloud, etc. Microsoft’s Minecraft
What’s the solution?
According to our investigation, this vulnerability can be mitigated by 2 configuration changes as follows
- Upgrade Log4j to version v 2.17.0
- Ensure applications are running in latest release of Java runtime.
Our team are currently auditing all of our solutions for this vulnerability utilising scanning tools, and working with clients to update their software. Applications have been patched and we continue to evaluate the situation and will apply future patches and mitigations as required
If you are concerned about your solution or would like some advice around this issue, please contact us.
For further details on the Log4j flaw, please refer to the statement on the Australian Cyber Security Centre website.