Hey there everyone, your friendly neighborhood tech pede here. Not sure how much attention people here pay to tech news but over the past two days there has been a bit of info that's been trickling into even some mainstream news sites about a recently discovered vulnerability called Log4Shell. These sites have been saying how this vulnerability has the potential to be pretty bad. As a guy that's worked in tech for pretty much all my life, let me rephrase that for them. This vulnerability has the potential to be catastrophic.
I work in the civ, non-gov't sector and I have more NDAs signed than I can count so I can't go into specifics of clients or ongoing cases that we're involved in. But we see cases come in where massive companies get their data stolen and ransomed for millions and no one at my work really thinks twice about it because we work with this stuff every day. But this one has us all worried.
What is this vulnerability?
There's a couple jargon filled writeups here:
But long story short, in order for a website or service to be accessible via the Internet, it needs a web server in place. The most widely used one of these is a web server called Apache that's been around for about 25 years. Every web server (and really any application on a computer) keeps a log of everything that it does in order to track errors, see unauthorized access, that kind of thing. This exploit specifically targets this built-in logging feature in Apache in order to gain full access to the web server and drop pretty much anything it wants on it.
So how bad is it?
Bad. Really, really bad. Bad enough that as soon as it was released, it immediately hit the ceiling as a 10.0 out of 10.0 on the CVE index and that was only because the index didn't go higher. For reference, the HAFNIUM exploits from this past February/March that caused hundreds of thousands of mail servers across the globe to have their data stolen and their systems crashed didn't even reach that mark, with most of the affected CVEs for that exploit coming in at 7.8.
Unlike the HAFNIUM exploit, this vulnerability appears to have the potential to be a C2C (computer to computer) worm, which means that once it's infected a web server it can spread uncontrolled to basically any device connected to that web server.
So it only affects these web servers, right?
Not necessarily. Evidence is still coming out but it appears as though this may be able to spread to any device that communicates with an Apache-based web server. The biggest example right now is Minecraft, which released a zero-day patch just yesterday to help protect against this. Basically if you don't have that patch then if you connect to a multiplayer server then you're vulnerable.
But it's not just services like Minecraft. A lot of applications also have what's referred to as integrated web servers, which is where the Apache web server does not exist independently of the application. If it were to be independent, then you could just patch the web server and call it a day. But if it's integrated you need to re-code portions of the ENTIRE application in order to get it updated to protect against this. There's not enough manpower in the world to do this.
Look at the numbers of just websites running Apache alone. There are over 1.7 billion websites in the world and about 32% are known to run Apache. The actual number is most certainly higher. Even in a best-case scenario, we're looking at over 500 million websites that are affected by this.
But again, it's not just websites, it's services as well...especially services that run on Java. You know that fancy satellite radio in your car? That runs on Java and reports to a web server. You know that new TV you got on Black Friday? Yep, that runs Java and reports to a web server. That fancy new smart plug that lets you turn lights on and off from your phone? Take a guess.
Seeing why we're worried?
Well, crap.
Don't worry, it gets worse! So far there have been a list of about 150 international backbone companies that have been seen to be affected by this. These companies range from everything from home devices to antivirus and backup software. Some companies such as Kronos (UKG) have already had their services nuked...whether it's by this vulnerability or not isn't known yet. But Kronos is saying that it will be "several weeks" before things are back functioning again.
https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/
So once this hits a server, it hits FAST and it hits HARD and it goes DOWN.
So these attacks are already happening?
They haven't even really started, that's the fun part. There has been some evidence that these have been circulating to some extent in the wild but there hasn't been a mass-scale attack like we've usually seen. Current insiders are estimating that a worm that can fully take advantage of this C2C spread will be completed and deployed within 24-48 hours:
https://nitter.net/Laughing_Mantis/status/1470165580736987137
So what should I do?
If you're in tech, get your Apache web servers updated immediately. Get off this site and just do it. If you have kids that are running a Minecraft server (hell, just even playing Minecraft on PC in general) then make sure it's updated. Microsoft has more info here:
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
If you're just a regular tech user then make sure you have a few good, long books just in case things go FUBAR. And strap the fuck in.
The vulnerability is in log4j, not the apache web server. This is a completely separate project also developed by the Apache foundation. It is a Java logging library, and is not used in the apache web server, which is written in C.
It's still a big deal and log4j is very widely used, but to say the web server itself is vulnerable is not true.
From what I could tell it wasn’t a web server thing unless the project included log4j. So it may or may not be used based on what modules are on or plug-ins enabled. I think minecraft does have it for sure but I’m optimistic about Apache
Its the message lookup feature in log4j is the culprit. Its the built-in JndiLookup plugin which is enabled by default . The message lookup was a bad idea that has other issues besides the one reported. 2.15.0 updates the configuration to disabling all message lookups (which is what it should have been). Many companies don't keep up with JDK updates (which disabled this from working awhile ago which relied on the ability to execute remote code over LDAP/RMI).
And those talking down about this have no idea how many mega-corp level services/site are vulnerable. It may not be in apache itself, but it's in one of the most common packages used with said server.
Apache HTTP server and log4j do not mix at all. log4j is used with Java based web application servers (e.g. Tomcat, Jetty, WebLogic ,etc). Apache is an open source organization that contributes to C, C++, Java based projects. Apache HTTP server is used to distribute content and/or centralize auth/security type settings. Its possible to host directly from Java webapplication server but most big corps don't.
log4j is used in a lot places because overall its high quality library. This is a big black eye for them due to feature creep IMO. I work in security and even this caught me by surprise. In retrospect I'm shocked this wasn't caught earlier but its been out in the open for years. Like I said before though to be successful it depends on a foundation that has been fixed for awhile so shame on companies for being too lazy to keep up with security patches in the OS or Java layers.
As a contractor/consultant, I can confirm most organizations are very far behind in their security updates in general. Newer projects get the newer JDK's usually, and the larger the company, the more likely they have a lot of out-of-date software.
Although there are many reasons for this, the largest I have come across is that most organizations don't have enough knowledge of their full runtime environments to confidently make changes, even security updates of this nature. In many cases, systems are inherited by new people after old people leave, and there is a lot of fear to make changes since a lot of developers I have worked with fail to try to fully understand the product and code they're working on.
The upside is that vulnerabilities that get mass media attention, like this, are usually an exception to the norm and they will attempt to discover and fix the problem as quickly as they can.