Log4j Cybersecurity CVSS Security

What Everyone Ought to know about Log4j

Pallavi Vishwakarma

Member of Technical Staff

Mar 29 2023

3 min reading

What Everyone Ought to know about Log4j
Image By HumorNama

Log4j is a tool developed by the Apache Software Foundation written in Java and used as a logging framework. It is an open-source Java API used for logging and this Java logging library is incorporated widely into various Apache applications to track activity within an application.


However, in December 2021, a critical vulnerability was discovered in Log4j that allows attackers to execute arbitrary code remotely, known as "Log4Shell" or "CVE-2021-44228". This vulnerability is caused by a flaw in the JNDI lookup feature of Log4j, which can be exploited by attackers to execute malicious code on affected systems.


Log4j Log expression:


Logger log = LogManager.getLogger(“ExampleClass”)

log.info(“Search term was {}”, “example”);


The above code will first instantiate a log using the LogManager function from Log4j. Then log.info will print the output “Search term was an example” to the console when the application is run. It is the most standard way of logging in to java.


Log4j Architecture:


Applications using the Log4j 2 API will ask the LogManager for a Logger by name. The relevant LoggerContext will be found by the LogManager, which will then get the Logger from it. The LoggerConfig that has either the same name as the Logger, the name of a parent package or the root LoggerConfig will be linked to the Logger if it needs to be generated. Logger declarations in the configuration are used to construct LoggerConfig objects. The Appenders that actually send the LogEvents are connected to the LoggerConfig.


Log4j architecture by logging.apache.org


Log4j Exploitation:


In order to check for faults, Log4j will first log messages in the program. Because of its logging capabilities, it can interact with directory services and other internal system components which creates an opening for vulnerabilities. Log4j has been used to create a method for creating malicious code strings that can be executed. The main method of attack is to send messages to Log4j that tell it to download and run malicious software from a remote server, giving the attacker further control over the victim's computer.


Log4Shell (CVE-2021-44228) was the active zero-day vulnerability in Log4j. log4Shell allows remote attackers to gain access to vulnerable targets. An attacker simply needs to make a straightforward malicious request with a formatted text, which the log4j library will then pick up, to carry out remote code execution.


This vulnerability was gone unnoticed since 2013 and it was later discovered by Chen Zhaojun of the Alibaba Cloud Security team and was disclosed publicly on 9 December 2021. Apache estimated CVE-2021-44228 to a CVSS score of 10, which indicates the most vulnerable vulnerability. This vulnerability affected hundreds of millions of devices as it was easy to execute by attackers. 


This flaw was fixed by Apache in Log4j version 2.15. But Security experts claim that the vulnerability's exploitation attempts have begun to affect servers that are still at risk.


Mitigation of Log4j Vulnerability:


The best way to prevent your organization from such attacks is to stay updated with the latest servers and install the patches as soon as it is released by the vendors.


A good mitigation strategy to stop attackers is to use outbound firewall rules on servers. If the server is able to perform DNS lookups, attackers will search for susceptible log4j2 instances, which will cause the DNS lookup.


To mitigate such risks in the future, organizations need to take steps to maintain a document of every component utilized in the IT environment along with a plan for how they can be upgraded or patched in the future.


It is crucial to stay informed about the latest threats and trends in cybersecurity to protect systems and applications from vulnerabilities such as Log4Shell. Organizations should prioritize cybersecurity and implement robust security measures to protect their sensitive data and assets from malicious actors.


SecOps Solution is an agent-less Risk-based Vulnerability Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.


To schedule a demo, drop us a note at hello@secopsolution.com

View SecOps Solution in action

Sign up for a personalized one-on-one walk-through.