The Log4Shell vulnerability is a software weakness in the Log4Shell Java Library. It was initially discovered in November 2021 by a Chinese security researcher working for Alibaba, Chen Zhaojun. The vulnerability threat level is deemed severe, with industry experts describing it as a worst-case scenario.
What is Log4Shell?
Log4Shell is an exploitable flaw discovered within the popular Apache Log4j 2 library. The library is for applications to log error messages. Due to the flaw’s severity, a Common Vulnerability Scoring System (CVSS Score) of 10.0 and published as vulnerability CVE-2021-44228.
Remote attackers could conduct a hostile takeover of any connected device by exploiting the flaw. Naturally, this required the device to be running specific versions of Log4j 2.
Current Status of the Log4Shell Vulnerability
Due to the severity of the flaw, Apache corrected it rapidly. However, patch 2.15 saw partial success, and Apache released a subsequent version, 2.16, in December 2021. Other patches were also released to address other vulnerabilities associated with Log4Shell.
Unfortunately, patching only works if users worldwide keep their applications and libraries updated. Given that Log4Shell is still relatively recent, the potential for exploitation remains high globally.
Staying Safe from Log4Shell
Systems administrators should immediately mitigate potential exploits from the Log4Shell vulnerability. The mitigation playlist isn’t too different compared to other exploits. If you aren’t sure, follow these steps:
Step 1. Check Your Exposure
Refer to the Github list to see if you’re using a product vulnerable to the Log4Shell vulnerability. The list is constantly updated so you may discover new items at any time.
Step 2. Patching
Immediately patch your application or apply one of the mitigation steps listed on the Github repository listed above. Do not ignore backend systems as not only front line applications are at threat.
Step 3. Isolation
For systems that cannot be patched for some reason (or if mitigation steps don’t apply) then isolate the device immediately. Disallow any Internet connections, even if you have to manually unplug the machine from networks.
Step 4. Configuration
Block all Indicators of Compromise (IOCs) and quickly implement detection rules by configuring your Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM). Be aware that detection rules can still by bypassed, so various configurations might need periodical updates.
Step 5. Response
If you believe a server compromise is in effect, follow standard security measures. These should include a combination of response measures along with appropriate forensics and investigation.
Final Thoughts on Log4Shell
Like any other vulnerability, the key to staying safe is proper management. Be it in mitigation or resolution, proper processes will help ensure the safety of your ecosystem and prevent bad situations from getting worse. However, remember that patching is key. Prevention is always better than cure.