Notes on Apache Log4j2 issue, fix, lessons learned and next steps
In this post, we discuss
- what caused the security issue in Apache Log4j2
- fix provided by the Apache team for this issue
- lessons learned
- how we all can help Open Source in locating this kind of security issues and fixing them
About the issue
“Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed.
Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.”
Arbitrary code loaded from LDAP servers:
Assume you have a search application, where you are getting search terms / search query from your users:
This issue is very similar to SQL Injection for Databases. Here JVM can be tricked to run the malicious code.
So one liner of this issue:
The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS.
Log4j2 version 2.0.x is dated back to 2016. So this issue was there for more than 5 years and we could found this in the end of 2021. This clearly shows that we need:
- A voluntary movement to find these kind of issues in our Open Source software.
- These volunteers should be awarded for their proof-of-work in locating and fixing this kind of issues. Similar to Prof. Donald Knuth’s reward check.
- Users of Open Source software can fund these efforts. This will make our Open Source more successful. As we know Open Source is the backbone to the growth of our Software Industry.
- Let us make it healthier and stronger!