Understanding the Recent Java Security Bug That's Causing Such a Stir (Log4J)

When I joined Contrast Security a year ago. I knew I was in for something different. Going back to a startup environment, after years at large companies like Citrix, Oracle and Sun Microsystems was surely going to be a wild ride. Whether it was winning awards as a fastest growing company or completing a Unicorn-level fundraising round, there have been plenty of thrilling days. However, none have matched the last few days.

My team has found ourselves at the heart of one of the largest computer security crisis in history, and it turns out we have the best technology to help. There's nothing more thrilling than rallying a great team to be their best or helping customers through a crisis. This week I got to do both!

So, what happened?

Here's an attempt to describe the details in a way that isn't overly technical. A lot of the info about this out there today is only understandable by developers and cybersecurity experts, but the important parts of this could be understood by almost anyone. And, for modern business leaders it is important that they understand this. Here goes.

On December 9th, 2021 it was reported that users of the popular video game Minecraft (now owned by Microsoft) could gain access to unauthorized information by pasting special code into a chat message.

Investigation of the issue showed that the root cause was a vulnerability in the popular, free, community-developed, open-source programming library called Log4J.?This library is highly popular and used across the world by millions of computer programs.?Once it was understood that this was the source of the problem, hackers quickly learned to exploit the vulnerability to gain unauthorized access to major commercial services provided by the likes of: Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

As computer security researchers came to understand the problem, they issued a warning through the MITRE Common Vulnerabilities and Exposures (CVE) database.?This problem is now formally known as CVE-2021-44228.?The Apache foundation has assigned this issue a severity score of “10.0”?on a 1 to 10 scale (most severe).

Because this bug is in Log4J, the incident has started to get nicknames like "Log4Shell" and "LogJam". We'll see what sticks as this goes on.

What is Log4J?

Log4J was first released in 2001 and subsequently donated to the Apache Software Foundation - one of the world’s largest communities of maintainers of free software code.?Over the past 20 years, this software library has been embedded into millions of software programs.??

Log4J is short for Logging for Java.?Java, developed in the 90’s by Sun Microsystems, has been the world’s most-ubiquitous programming language for the last 20 years.?Current estimates show there to be about 8 million people developing computer programs in Java today.?In turn, Java programs are used by billions of people?

Logging is a common activity in computer programming where short messages are written to a file or database for usage later in debugging, auditing, security review, and support.?The verb "to log" here is used in the same sense as “to write it down in a logbook.”?Most large-scale business computer applications internally log critical data and transactions and Log4J has been the most popular way to do this for much of the last 20 years.

How Severe Is this Problem?

It was given the maximum possible severity score of 10.0 because:

• It allows a potential attacker to execute their own arbitrary computer code on a company’s servers. This in turn allows the attacker to gain access to confidential or privileged information, or gain a foothold in an otherwise protected environment.
• It is simple to exploit.?A single web request can be enough to trigger this – as was seen with Minecraft’s chat window being used to gain unauthorized access. Often the request can occur even before a user is authenticated.

Is there precedent for this?

This kind of thing has happened before and will happen again.?In 2017 the global consumer credit rating service Equifax announced a data-breach that exposed personal, confidential information of 147 million Americans as well as tens of thousands of UK and Canadian citizens.?Equifax eventually settled with the United States Federal Trade Commission (FTC) and agreed to pay damages of $425,000,000 because of this breach.

The Equifax situation is highly like this situation in many ways.?It was based on a similar attack technique in a common open source, free software library called Apache Struts.?As with Log4J this was used by many organizations and hundreds of companies were impacted, Equifax was just the most severe.?However, today Log4J is far more common that Apache Struts was at the time of the 2017 incident.?This means that the exposure is far, far broader.

Is this over?

This story for Log4Shell/LogJam is not over. Attackers were inside Equifax’s network for 76 days prior to their discovery and this wasn’t disclosed by the company until months later after they had completed an investigation. Companies were still known to be updating and fixing their internal applications for more than a year after the vulnerability was disclosed.

While the industry is more security-conscious than it was in 2017, and better tools exist to help, we should consider a few things:

• Log4J is in much wider use than Apache Struts was at the time.?The number of impacted companies is massive. Our measurements suggest around 1-2% of Java applications use Struts 2, but around 80% of Java apps use a version of Log4J.
• Organizations will struggle to find all the instances of log4j in their environments.?Many organizations do not have effective, automated tracking on data like this.
• While we have seen reports of large numbers of “hacks” we have yet to see reports of the damage.?Companies only started investigating the issue.?These investigations can take months of sleuthing to detect what was stolen and then disclose it.?The impact is likely massive.?Expect to see disclosures of substantial breaches for many companies over the next several months.
• The Apache foundation has issued a new version of Log4J that closes the problem but updating this library in millions of applications will be labor intensive and take time.
• Despite some early media coverage, many organizations who may be impacted may still not know about the problem.?Attacks are likely still ongoing.

What Does Contrast Do About This?

Without getting too technical, dealing with issues like this is EXACTLY what Contrast does. Our tools are designed to detect and block issues just like this and that's exactly what they have been doing this week. There has been lots of work the last few days to make sure our customers are sorted and safe, but it has been immensely rewarding.

Want to know more about the details? Check out this video from our CTO Jeff Williams. If you're a Java developer, you'll learn exactly how this exploit works and see how Contrast stops it in its tracks.

Are you are your organization possible impacted by this and want help? Please reach out to me direct or visit our website for more info.