A penetration testing firm warned on July 7, 2023, about a new remote code execution vulnerability in Apache Log4j, a widely used logging library for Java applications. The vulnerability, dubbed Log4Shell, can be exploited by attackers to execute arbitrary code on vulnerable systems by sending specially crafted log messages. The vulnerability has been patched by Apache, but many organizations are still vulnerable due to the popularity and ubiquity of Log4j.
Log4Shell is a remote code execution vulnerability that affects Log4j versions 2.0-beta9 to 2.14.1. The vulnerability is caused by a feature in Log4j called JNDI (Java Naming and Directory Interface) lookup, which allows log messages to contain references to external resources, such as LDAP (Lightweight Directory Access Protocol) servers or RMI (Remote Method Invocation) registries. When Log4j encounters a JNDI lookup in a log message, it tries to resolve it by contacting the specified resource and executing the returned code.
However, this feature can be abused by attackers to send malicious log messages that contain JNDI lookups that point to attacker-controlled resources. The vulnerability was discovered and reported by a penetration testing firm called CyberEvidence. CyberEvidence published a blog post on July 7, 2023, detailing the vulnerability and its impact.
CyberEvidence stated that the vulnerability is “extremely critical” and “affects millions of systems worldwide”. CyberEvidence also urged organizations to patch their systems as soon as possible or disable the JNDI lookup feature in Log4j. CyberEvidence also recommended that organizations monitor their logs for any suspicious or malicious activity.
Apache released a security advisory on July 8, 2023, acknowledging the vulnerability and providing mitigation measures. Apache stated that the vulnerability was fixed in Log4j version 2.15.0, which was released on July 8, 2023. Apache also stated that users can disable the JNDI lookup feature by setting the system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the Log4j jar file.
Log4Shell is a serious vulnerability that exposes many systems and applications to remote code execution attacks. It exploits a feature in Log4j that allows log messages to contain references to external resources. Sending specially crafted log messages can allow attackers to run arbitrary code on vulnerable systems.
Due to Log4j’s popularity and ubiquity, many organizations remain vulnerable despite the Apache patch. Thus, organizations should update or disable log4j’s JNDI lookup feature immediately.