How To Detect and Secure Your Java App From Log4j Vulnerabilities

Apache Log4j is the popular open source logging library for Java developers that was recently caught up in a massive security-related breach. Due to its popularity, a large number of organizations were affected by the breach. For the latest news, refer to the official website about specific issues and patches. Here is an additional article that explains the core issues in detail.

List of Security Issues That Were Found in Log4j Version 2.x:

1. CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability  (Severity - Moderate)
2. CVE-2020-9488: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender (Severity - Low)
3. CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints (Severity - Critical)
4. CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations (Severity - Critical)
5. CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation (Severity - Critical)
6. CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration (Severity - Moderate)

4 Ways To Secure Your Java Application:

1.  Detect if You Have Log4j 2.x in Your Code Base 

Apache Log4j can be in your project directly or a dependency of a dependency. Thus, it's best to use a build tool such as Maven or Gradle to quickly scan for the same tree as follows:

Maven:

 mvn dependency:tree -Dincludes=org.apache.logging.log4j

Gradle:

 .\gradlew dependencies --configuration=testRuntimeClasspath | find "log4j"

Alternatively, you can also use an open source tool like Log4jScanner, but this does a brute force check. It is important to note that not all of the log4j.jars are vulnerable, especially if you're using the updating version of the library (see #3)

2.  Beef Up Security Tests and Monitoring

Because security is an ongoing process, attackers are always on the prowl for any kind of vulnerability.  Therefore, make sure your application and architecture are not only secure by following secure coding best practices, but also test for attacks on a regular basis. It is also vital to have a monitoring system as simple as alerts when security tests fail.

Tools especially to detect Log4j Bugs:

Huntress Log4Shell Vulnerability Tester Tool:

• You simply copy and paste the generated JNDI syntax (the code block ${jndi[:]ldap[:]//....presented below) into anything: application input boxes, frontend site form fields, logins such as username inputs, or if you are a bit more technical, even User-Agent or X-Forwarded-For or other customizable HTTP headers.

logger.error("${jndi:ldap://log4shell.huntress.com:1389/<your-unique-identifier-from-log4shell.huntress.com>}");

• Check the results page to see if it received any connection, and verify the detected IP address and timestamp to correlate with when you tested any service.
• If you see an entry, a connection was made and the application you tested is vulnerable.

Test if Your Application Was Already Attacked by Running These Commands:

https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b or using run this Python tool.

3.  Update Log4j 2.x Library 

If you are using the Apache Log4j library, make sure to update to the latest version, as the above-listed security vulnerabilities have been patched. This is the best measure at the moment.

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 or latest (for Java 8 and later).

4.  Setup Web Application Firewall (WAF) 

Web Application Firewall scans every incoming request for indications of bugs, like remote code execution, by comparing the request data against a set of precompiled rules. There are open source WAF for Java, and if you host your application on the Cloud, check WAF that your cloud vendor provides and make sure it's up to date. 

By following the steps above, you can sleep with peace of mind knowing your applications are safe and secure for now.