What is Apache Log4j?
Apache Log4j is a Java library that specializes in logging.
It is used for logging error messages in applications. It is used in enterprise software applications, including those custom applications.
The output from Log4j can go to the console window, an email server, a database table, a log file, or various other destinations.
The great benefit of Log4j is that different levels of logging can be set. The levels are hierarchical and are as follows: TRACE, DEBUG, INFO, WARN, ERROR, and FATAL.
What is Log4j Vulnerability?
A researcher from the Alibaba Cloud Security Team dropped a 0-day remote code execution exploit, targeting the extremely popular log4j logging framework for Java, On December 9, 2021.
The vulnerability was originally discovered and reported to Apache by the Alibaba cloud security team on November 24th.
MITRE assigned CVE-2021-44228 to this vulnerability, which has since been dubbed Log4Shell by security researchers.
The vulnerability received 10.0, the highest CVSS score. The vulnerability exposes an opportunity for an attacker to execute code on the Java server if it uses log4j.
The JNDI (JAVA Naming and Directory Interface) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. It would allow the attacker to gain full control over the server that runs the Java application.
How to check log4j in Linux servers?
By using the below Commands on respective Linux Servers (Debian or Ubuntu or Centos), We can check the log4j is installed or not.
# dpkg -l | grep log4j
# which java
# rpm -qa *log4j*
# yum list installed | grep log4j
# find /var/ -name *log4j*
# find /etc/ -name *log4j*
# find /usr/ -name *log4j*
# find /opt/ -name *log4j*
Also, we can check using the below bash script:
What to do If java is not installed on the server:
Notices, Updates, or Patches:
Amazon has updated several of its products to use a non-vulnerable version of the Log4j component and announced that it is either in the process of updating others or will release new versions shortly.
The company has published details specific for affected services, among them, being OpenSearch, AWS Glue, S3, CloudFront, AWS Greengrass, and API Gateway.
A forum thread shows that only instances where the cPanel Solr plugin is present are affected and could be exploited, but only locally.
A staff member provided additional peace of mind announcing that an update with mitigation for Log4Shell is available to the cpanel-dovecot-solr package.
A dozen Docker Official images have been found to use a vulnerable version of the Log4j library. The list includes couchbase, elasticsearch, logstash, sonarqube, and solr.
Docker says that it is “in the process of updating Log4j 2 in these images to the latest version available” and that the images may not be vulnerable for other reasons.
Only MongoDB Atlas Search needed to be patched against Log4Shell, the company notes in an advisory updated today
The developer adds that it found no evidence of exploitation or indicators of compromise before deploying the patch.
Components in multiple Red Hat products are affected by Log4Shell, the organization disclosed on Friday, strongly recommending customers to apply the updates as soon as they become available.
Among the products listed in the advisory are Red Hat OpenShift 4 and 3.11, OpenShift Logging, OpenStack Platform 13, CodeReady Studio 12, Data Grid 8, and Red Hat Fuse 7.
Core Splunk Enterprise is not affected unless Data Fabric Search is used. The company published a table with the versions of its products affected by Log4Shell both in the cloud and on-premise.
The company has released fixes for some products and is currently working on rolling updates for at least seven of its products.
VMware has fixed several of its products vulnerable to Log4Shell attacks and is currently working to roll out patches for another 27 products.
In an advisory last updated today, the company lists nearly 40 of its products as impacted by the critical vulnerability. Many of them show a “Patch Pending” and mitigations are available in some cases.
The Log4j package has been patched upstream, reads the security advisory, and the update now has to trickle to Ubuntu 18.04 LTS (Bionic Beaver), 20.04 LTS (Focal Fossa), 21.04 (Hirsute Hippo), and 21.10 (Impish Indri).
How to resolve this issue:
The confirmed affected versions of Log4j are 2.0-beta-9 to 2.15 for RCE and it is recommended to upgrade 2.16.
At the time of writing, Log4j 2.16 is vulnerable to Denial of Service. So Upgrading the version to Apache Log4j 2.17.
For More Info: https://logging.apache.org/log4j/2.x/security.html