Log4Shell Revisited: Costs and Fallout

log4shell exploit featured

Two years ago, we wrote about the emerging zero-day exploit Log4Shell and its impact on various systems. A new report from Skybox Security (covering vulnerability trends in 2023) calls this exploit the top vulnerability of the year. 

This article will revisit the Log4Shell exploit and how it has played out since our last coverage.

What Is Log4Shell?

Log4Shell is a remote code execution vulnerability. It allows an attacker to execute arbitrary code on a server or computer running an application that uses the Log4j library to log data. The vulnerability arises from Log4j’s handling of log messages containing JNDI lookups.

The exploit is triggered when a specially crafted string is logged using Log4j. When Log4j processes this string, it requests the specified LDAP server (in this case, controlled by the attacker). The attacker’s LDAP server refers to a malicious Java class file, which Log4j loads and executes.

This leads to executing the attacker’s code on the vulnerable server, allowing them to perform any action the compromised application can do.

 

A Timeline of Log4Shell

log4shell exploit

  • November 24, 2021: Alibaba Cloud’s security team reported the vulnerability privately to the Apache Software Foundation.
  • December 9, 2021: The Apache Software Foundation disclosed the vulnerability CVE-2021-44228 and released a patch in Log4j version 2.15.0. 
  • Early December 2021: Security researchers and threat actors began to exploit the vulnerability. Proof-of-concept code was shared widely, and scanning for vulnerable systems started.
  • December 10, 2021: Security firms observed mass scanning and exploitation attempts. Major platforms and services, including those by tech giants like Apple, Amazon, and Microsoft, were identified as potentially vulnerable.
  • December 11-12, 2021: Reports indicated that major cybercriminal groups and nation-state actors actively exploited the vulnerability. Security advisories and emergency patches were released by numerous vendors.
  • December 13, 2021: A new Log4j version (2.16.0) was released. This version removed support for message lookups and disabled JNDI by default, offering a more robust mitigation.

 

Log4Shell and Log4j2 Remote DoS Vulnerability

According to Skybox, this vulnerability became the most popular target for malware tracked in 2022 but remains a significant attack vector in 2023 (especially as recorded in the latter part of the year). This is partly due to several other vulnerabilities from the unpatched version (2.5) that required rolling patches to address. 

Adding to the pressure, another vulnerability in Log4j, the Apache Log4j2 Remote DoS vector (CVE-2021-45105), was found slightly after Log4Shell. This vulnerability flowed from a recursion handling error that allowed attackers to cause a stack overflow in the program and halt services. 

These combined vulnerabilities ranked #1 and #9 on Skybox’s top 10 vulnerabilities of the previous year. 

 

What Can You Do to Address These Potential Vulnerabilities?

Following the vulnerability and uptick in attacks, businesses and security professionals moved to close the security gap.

The Apache foundation (maintainer of Log4j) released a flurry of patches: 

  • Version 2.15.0: Initially released to address the Log4Shell vulnerability (CVE-2021-44228) by disabling JNDI lookups by default.
  • Version 2.16.0: Further mitigated the risk by removing support for message lookups and disabling JNDI by default.
  • Version 2.17.0: Addressed additional vulnerabilities (CVE-2021-45046 and CVE-2021-45105) and enhanced security measures to prevent recursion and stack overflow.

The Foundation also issued detailed security advisories and guidelines to inform users about the vulnerabilities and recommended mitigations.

Most major technology organizations and utility users rapidly applied patches and updated Log4j2 to the latest versions as recommended by the Apache Foundation. Many organizations quickly implemented automated patch management systems to ensure timely updates.

Cybersecurity vendors and researchers provided threat intelligence and shared Indicators of Compromise (IOCs) to help detect exploitation attempts. Enhanced monitoring and detection capabilities were implemented to identify and respond to suspicious activities related to Log4j2 exploitation.

The challenge with such threats relies on the fact that individual organizations need to understand the threat, know how to get the patches, and have patch and configuration management policies in place to quickly handle the situation (along with any subsequent 

 

Manage Patches, Updates, and Configuration with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including support for all certifications (along with our sister company and assessors, Lazarus Alliance). 

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.

Continuum GRC

Website: