Broadcasted as the biggest security vulnerability in modern day technology, the Log4j vulnerability has made news worldwide. System admins and developers have been scrambling to find affected servers, and the average computer user is scratching their head wondering how it affects them. Let’s take a quick dive into what Log4j is, how the recently-discovered vulnerability affects systems, and how to find out if your server (or computer) is affected and how to mitigate.
The Background
Java is a programming language used in thousands of applications across millions of customers and businesses worldwide. Web servers (such as the one hosting this website), video game servers (and clients), and other applications that rely on Java framework are all potentially vulnerable. CloudFlare, iCloud, MineCraft, Steam, Twitter, Apple, and Amazon are only a few of the companies using software that was affected.
The Vulnerability
The “zero-day” vulnerability was reported by Alibaba on November 24, 2021. Although the exploit has existed for years, security researchers don’t believe it has been found before (by hackers) since they’ve never spotted an instance of the vulnerability in reported attacks before. The vulnerability has been shown to be extremely easy to trigger in some systems: ie. MineCraft players were able to exploit vulnerable servers just by typing into the chat!
The Log4j vulnerability allows malicious actors to infiltrate a system, bypass security, and gain administrative priviledges on Microsoft, Mac, and Windows systems.
The Fix
Luckily, we have an easy, free fix for you!
The Log4j-Detector by mergebase available here will scan Windows, Mac, and Windows systems, even in instances that are hidden several layers deep.
Example usage:
java -jar log4j-detector-2021.12.20.jar ./samples
-- github.com/mergebase/log4j-detector v2021.12.20 (by mergebase.com) analyzing paths (could take a while).
-- Note: specify the '--verbose' flag to have every file examined printed to STDERR.
/opt/mergebase/log4j-detector/samples/clt-1.0-SNAPSHOT.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
/opt/mergebase/log4j-detector/samples/infinispan-embedded-query-8.2.12.Final.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE /opt/mergebase/log4j-detector/samples/log4j-1.1.3.jar contains Log4J-1.x <= 1.2.17 OLD /opt/mergebase/log4j-detector/samples/log4j-1.2.13.jar contains Log4J-1.x <= 1.2.17 OLD /opt/mergebase/log4j-detector/samples/log4j-1.2.17.jar contains Log4J-1.x <= 1.2.17 OLD /opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta2.jar contains Log4J-2.x <= 2.0-beta8 POTENTIALLY_SAFE (or did you already remove JndiLookup.class?) /opt/mergebase/log4j-detector/samples/log4j-core-2.0-beta9.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE /opt/mergebase/log4j-detector/samples/log4j-core-2.0.2.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE /opt/mergebase/log4j-detector/samples/log4j-core-2.0.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE /opt/mergebase/log4j-detector/samples/log4j-core-2.10.0.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
/opt/mergebase/log4j-detector/samples/log4j-core-2.12.2.jar contains Log4J-2.x >= 2.12.2 SAFE
/opt/mergebase/log4j-detector/samples/log4j-core-2.14.1.jar contains Log4J-2.x >= 2.10.0 VULNERABLE
/opt/mergebase/log4j-detector/samples/log4j-core-2.15.0.jar contains Log4J-2.x >= 2.15.0 OKAY
/opt/mergebase/log4j-detector/samples/log4j-core-2.16.0.jar contains Log4J-2.x >= 2.16.0 SAFE
/opt/mergebase/log4j-detector/samples/log4j-core-2.4.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLE /opt/mergebase/log4j-detector/samples/log4j-core-2.9.1.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) VULNERABLEReading results:
_VULNERABLE_ -> You need to upgrade or remove this file.
_OKAY_ -> We only report this for Log4J versions 2.15.0 and 2.16.0. We recommend upgrading to 2.17.0.
_SAFE_ -> We currently only report this for Log4J versions 2.17.0 and 2.12.2.
_OLD_ -> You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.
_POTENTIALLY_SAFE_ -> The “JndiLookup.class” file is not present, either because your version of Log4J is very old (pre 2.0-beta9), or because someone already removed this file. Make sure it was someone in your team or company that removed “JndiLookup.class” if that’s the case, because attackers have been known to remove this file themselves to prevent additional competing attackers from gaining access to compromised systems.
If the file becomes unavailable above for whatever reason, you can find a locally archived version here (updated Dec 20, 2021):