What happened?
On Friday, December 10th, 2021, the United States Cybersecurity and Infrastructure Security Agency issued an alert about a major security flaw in a piece of software called Log4j, which is used by millions of web servers. Log4j is an open-source, Java-based logging utility widely used by business software and cloud services. This is a serious and widespread vulnerability that requires immediate action. This vulnerability can be -- and has been -- exploited to take control of an affected system.
What’s at risk?
The vulnerability leaves systems open to remote code execution, such as ransomware. Log4j is widely used in many applications and is present in many services, including gaming platforms, e-commerce and cloud applications. The software logs information about users’ IP addresses, browsers, requests made, and pages accessed. It also helps system administrators monitor software and identify bugs when things go wrong.
A few technical details:
- This vulnerability allows an attacker to execute code on a remote server, what's known as Remote Code Execution (RCE), and can be easily exploited.
- The versions of log4j affected are from 2.0-beta-9 to 2.14.1.
- The initial vulnerability (CVE-2021–44228) was patched in 2.15.0. But it was found that the fix was incomplete, resulting in (CVE-2021–45046). It was again patched in version 2.16.0.
To learn more about how this vulnerability works, see the following links:
- Inside the Log4j2 vulnerability (CVE-2021–44228) - Cloudflare
- Apache Log4j Security Vulnerabilities - apache.org
- List of affected software
Checking for log4j vulnerability with Web App Scan*
The Web App Scan can now test for vulnerable versions of log4j in your websites or web applications. The log4j test is included in the “Normal” scan level. It can also be run independently by choosing the "Log4j Only" scan level.
The log4j test will show in your scan report as “Log4Shell”. If you run the “Log4j Only” scan level and your reports show 0 findings, that would indicate that there are no log4j vulnerabilities found in the scanned web application.
Report Example:
Notes
- *This test is not a comprehensive scan of log4j vulnerability across your environments. For example, if you scan www.cybersafety.com, it will not scan any other subdomains, such as portal.cybersafety.com.
- This test will not check for log4j vulnerabilities that may exist in any third party software you are using. Check with your software vendors for guidance.
- The log4j test is not included in the “Lightning” scan level.