A critical exploit in the widespread Java library has been found, disrupting much of the internet as server administrators scramble to fix it. The vulnerable component,
log4j, is used everywhere as an included library, so you will need to check your servers and make sure they are updated.
How does this feat work?
When it comes to exploits,
log4j Vulnerability is by far one of the worst in recent years, scoring a rare 10/10 on the CVSS scale, and will haunt the entire internet for many years to come.
The worst is that
log4j is not an app, it is an open source library used by many other apps. You may not have installed it directly; it can be included in other
.jar files, or installed by other applications as a dependency.
Essentially, it allows attackers to send text to your application, and if it logs it somewhere (for example, registering a user-controlled agent string on a web server), your server will execute malicious code. The format of the text looks like the following example: an extremely simple string containing a link to a remote address.
The vulnerable component in
log4j is the Java Naming and Directory interface, which allows the logging infrastructure to perform remote queries. Except that it also deserializes the file at this endpoint and is able to load
.class files containing remote code. What is bad.
Am I vulnerable?
The exploit was quickly fixed in
log4jthe latest version of, 2.16.0, but the problem isn’t how to fix it, it’s about where you need it. Because
log4j is a built-in dependency, it may be non-trivial to find the specific version of it on your system. And, since Java is so popular, there are many third-party tools and components that can use it, so you can’t even to know if you are running Java software on your machines.
Even if you think you are not vulnerable, you probably still need to check. This exploit affects so many systems that there’s a good chance you’ll run
log4j or Java without realizing it.
Fortunately, JDK versions greater than
11.0.1 are unaffected by the main attack vector (using LDAP) which is currently the most exploited. You still need to patch it, as it can also be easily used with other attack vectors. Also, just making a request to an endpoint can reveal data on machines on your network, which is not a good thing either.
This exploit highlights why it’s important to keep a Software BOM (SBOM), essentially a list of all the software on your systems, where it came from, and what it’s made of. In the future, this knowledge can help you quickly correct attacks like this.
Right now, you’re probably just concerned about updating your network. To do this, you will need to scan your systems to find
log4j versions used by your software and list all vulnerable components.
Analysis of your system
Many people have already created scripts to automatically scan systems for vulnerable installations, like this one written in Python, and this one from security company LunaSec. One of the easiest to use is this simple bash script, which can analyze your packages and identify
log4j versions, and can also tell you if your system is even using Java in the first place. In most cases, you will want to run multiple scans with different scripts, as there is no guarantee that one of them is 100% effective in identifying every vulnerable system.
You can download it and run it with a few commands. This needs to be run as root to scan your entire system, so of course be careful with scripts you run with root privileges on the internet. This too is an execution of an arbitrary code.
wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q chmod +x log4j_checker_beta.sh sudo ./log4j_checker_beta.sh
The results of this script highlight exactly what makes this
log4j vulnerability so terrible – running this on my personal server revealed that I was vulnerable to the exploit, a few days after day zero, even though I thought Java was not installed on this machine because I didn’t ‘runs any of my own Java software.
Elasticsearch is running in the background on this machine, which is written in Java. I didn’t have to install Java manually to install Elasticsearch; it includes a bundled version of OpenJDK. He understands
log4j in this installation and is vulnerable to the exploit.
The fix, for Elasticsearch at least, updates all packages and follows their mitigation guides. This will most likely be the case with any software you are running; you will need to update
log4j directly, update the software by bundling it or fix it with mitigation best practices used by others.
If you cannot fix the jar file for some reason, you can use this JVM flag to alleviate the problem, which simply says
log4j never do research when formatting messages. This is not recommended however, and you should try to get
log4j 2.16.0 installed wherever you can to fully resolve the issue.