On Friday, CERT-FR published a newsletter on this breach identified by the CVE 2021-44228. To give you an idea of the level of “panic”, it has the luxury of obtaining a score of 10/10 for its dangerousness. Technical details are given by Apache in this newsletter.
The government center for monitoring, alerting and responding to computer attacks, for its part, recalls that Apache log4j “ is widely used in Java / J2EE application development projects as well as vendors of off-the-shelf software solutions based on Java / J2EE “.
Be careful, not using Java is not enough to consider that you are spared, since this can be the case of the underlying bricks of your architecture. Log4j is used in a wide variety of frameworks: Apache Struts2, Solr, Druid, Flink… It can therefore spread like wildfire.
It is therefore in your best interest to check what is in your case. Detectors have obviously been put online (here Where the for example) now that operating prototypes are public.
Quickly we update …
According to Bleeping Computer, this flaw was reportedly detected by the Alibaba Cloud security team and notified to Apache on November 24. Proofs of concept were quickly put online and operations were of course confirmed in the process. Some nonetheless evoke a detection of the problem from 2016.
All versions of the library are affected, except the 2.15.0 which has just been released and corrects the flaw. In the case of Log4j versions 1.x, there is a condition for it to be exploitable: ” the vulnerability only exists if the JMS Appender component is configured to take JNDI into account. It is therefore a very specific configuration », Explains CERT-FR.
… in the absence of workarounds
It is obviously more than strongly recommended to use version 2.15.0 of log4j in order to guard against Log4Shell, but if this is not possible workarounds are possible:
- Log4j versions 2.7.0 and later: ” it is possible to guard against any attack by modifying the format of the events to be logged with the% m {nolookups} syntax for the data provided by the user. This modification requires modifying the log4j configuration file to produce a new version of the application. This therefore requires performing the technical and functional validation steps again before the deployment of this new version. “
- Log4j versions 2.10.0 and later: ” It is also possible to guard against any attack by modifying the log4j2.formatMsgNoLookups configuration parameter to the value true, for example when launching the Java virtual machine with the option -Dlog4j2.formatMsgNoLookups = true. Another alternative is to remove the JndiLookup class in the classpath parameter to eliminate the main attack vector (researchers do not rule out the existence of another attack vector) “.
Amazon Web Services offers a hotpatch, ” to use at your own risk “. Other “techniques” have been published, including Logout4Shell Who ” use this loophole against itself “. Stephane Bortzmeyer ask the question of the legality of this maneuver which consists in ” hack a machine to patch it “.
“Significant threat” for the NSA, Quebec closes thousands of sites
The reactions are numerous, too many to detail them all here. Rob Joyce, Director of Cyber Security at the NSA, Explain nevertheless that it is about a ” significant threat due to its widespread inclusion in software frameworks, even the NSA’s GHIDRA », An open source reverse engineering software.
Quebec has decided to suspend “ emergency “Nearly 4,000 government sites and services:” The balance of inconvenience meant that it was better to shut down the systems and make sure they were safe before putting them back available. », Affirmed Éric Caire, Minister Delegate for Digital Transformation, as the reports the Journal de Montreal. Other sites are obviously affected, as Motherboard indicates: Minecraft, iCloud, Twitter, Steam …
For its part, Cloudflare think I was spared : ” While we used versions of the software as described above, thanks to our speed of response and defense-in-depth approach, we don’t think Cloudflare was compromised. “. As usual, the service quickly delivered a detailed analysis of the problem and mentioned of captured attempts here or there afon to allow their identification.
We deliver a play on the open source debate
As might be expected, the discovery of Log4Shell relaunched the question of funding, maintenance and audits of open source applications, which are sometimes used in large projects. It is again and always the opportunity to highlight this excellent drawing of xkcd:
If in this case the developers seem to have been quick to offer an update, some wonder if this “disaster” could have been avoided with a larger team. The question had been asked with Heartbleed in the past and will most certainly be asked in the future.
We had recently interviewed Lancelot Pecquet, professor at the University of Poitiers, in order to find out if the Heartbleed “electroshock” had made things happen over time: “ my impression and my observation: it didn’t change much […] because people are in a great hurry to release the new feature “.
If it needed confirmation, it just fell.
Nadim Kobeissi posted a blog post on the question of “maintainers” of open source projects, based on the painful Log4Shell experience. He took the opportunity to recall two ” troublesome truths “.
He explains that, “ Like many other open source projects, Log4j is small enough to become easily replaceable in-house once companies start to feel pressured to spend money on it. “. Leaning on this tweet Explaining that the flaw would come from a feature that the developers wanted to remove, but which was kept for compatibility reasons, Kobeissi adds that a ” large number »Problems can be solved by reducing the number of features to be maintained (to focus on the essentials) rather than increasing them, sometimes for the wrong reasons.
The developers were quick to respond
Volkan Yazıcı from Apache Software Foundation, add a layer : ” The maintainers of Log4j worked sleepless on mitigation measures; fixes, docs, CVEs, responses to inquiries, etc. Still, nothing prevents people from criticizing us, for a job we don’t get paid for, for a feature we don’t all like, but which we had to keep due to backward compatibility issues. “. The question can be extended to many other services …
VideoLan cite the example by FFmpeg. Cedric Champeau, who works for Oracle Labs add that the question of salary is not everything: ” It’s a little boring how people think of OSS funding [Open-Source Software, ndlr] would have avoided the problem with log4j. It would not be. We all write bugs, the most important is the process of fixing them and the ease of updating. In this case, although they weren’t paid, the maintainers of log4j did a great job. “.
https://wakelet.com/wake/2D1wiOloi0iGTkrAE81v_
https://wakelet.com/wake/l3EkajB16GIpcFDwQrtbg
https://wakelet.com/wake/LQIc6tEzygCNVS5Ujj4v0
https://wakelet.com/wake/ao21O9__kewx_bCu1JdwQ
https://wakelet.com/wake/quAQmzAv-NRwUKd7VaEtO
https://wakelet.com/wake/fl2MFr2FcMusBWkgDAZeY
https://wakelet.com/wake/65TRF9mHUbFgH34pKWvsr
https://wakelet.com/wake/p-HoQYcHGB-hMnDbcTuSO
https://wakelet.com/wake/DtTZBh5SbGflCyRyUrTbH
https://wakelet.com/wake/fzVcKZ0terBndMvs88vE6
https://wakelet.com/wake/fQ2Gb5D8I_TKTBXc3AyHl
https://wakelet.com/wake/PMJEDwnUh4MJo27jwxNG0
https://wakelet.com/wake/CnSNQ3o4FdHBSfAr2VR1e
https://wakelet.com/wake/Cp9uW2fnKZhgu2CS2V5SR
https://wakelet.com/wake/uFjkb-Hhy29EC0n60yyQm
https://wakelet.com/wake/lvt-Dohsa3gWUWikWlWic
https://wakelet.com/wake/rm4HiML0z-FvJSJxnCoNL
https://wakelet.com/wake/CNe9nLY-21JypGqXWiulc
https://wakelet.com/wake/SZCVlFU_oVVE7yEo6uF1g
https://wakelet.com/wake/7tKPZlCPPgE0V8ClAUhtB
https://wakelet.com/wake/nKOd4bikFaAMXFOagiPwE
https://wakelet.com/wake/kYO4ZILZlM2gxzo3yqIX0
https://peatix.com/user/9068651
https://wakelet.com/wake/Bm_vI08MFjHsyKpCcRpF-
https://peatix.com/user/9070773