Open in app

Sign in

Write

Sign in

Notes on Apache Log4j2 issue, fix, lessons learned and next steps

Mohan Chinnappan
3 min readDec 22, 2021

In this post, we discuss

  • what caused the security issue in Apache Log4j2
  • fix provided by the Apache team for this issue
  • lessons learned
  • how we all can help Open Source in locating this kind of security issues and fixing them

About the issue

“Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed.

Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.”

Arbitrary code loaded from LDAP servers:

Assume you have a search application, where you are getting search terms / search query from your users:

Log4j2 String interpolation issue

This issue is very similar to SQL Injection for Databases. Here JVM can be tricked to run the malicious code.

So one liner of this issue:

The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS.

Fix Details

Fix in the JndiManager.java
version 2.15.0 JndiManager.java
Fix in the Interpolator.java
Stronger Open Source! Image Credit: Google Chromecast

Lessons Learned

Log4j2 version 2.0.x is dated back to 2016. So this issue was there for more than 5 years and we could found this in the end of 2021. This clearly shows that we need:

  • A voluntary movement to find these kind of issues in our Open Source software.
  • These volunteers should be awarded for their proof-of-work in locating and fixing this kind of issues. Similar to Prof. Donald Knuth’s reward check.
  • Users of Open Source software can fund these efforts. This will make our Open Source more successful. As we know Open Source is the backbone to the growth of our Software Industry.
  • Let us make it healthier and stronger!
Let us help! Image Credit: Google Chromecast

References

  1. CVE-2021–44228
  2. Remove static dependency on JndiLookup.class
  3. Khousik from Java Brains explains the issue in details
Log4j2
Open Source
Volunteering
Apache
Lessons Learned

--

--

Mohan Chinnappan

Written by Mohan Chinnappan

17 Followers

Improving Agriculture, Healthcare… Equality for All, Love and Respect Nature. https://mohan-chinnappan-n.github.io/about/cv.html

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams