Created: 2022-07-08
Tags: #fleeting
Log4j records events - errors and routine system operations and communicates diagnostic messages about them to system administrators and users. Open source software by Apache Software Foundation.
Overall, it's common use is to keep logs
In minecraft, used by server to log activity like total memory used or commands typed in console
When you type in a bad web link and got a 404 error message. The web server running the domain of the web link you tried to get to tells you there's no such webpage. That also gets recorded in a log for server's system adminitrator.
Abuses the feature in Log4j that allows users to specify custom code for formatting a log message.
Log4j allows 3rd-party servers to submit software code that can perform all kinds of actions on the targeted computer.
setting up machines that can deliver malicious Payload.
To carry out an attack, they query services like web servers
Trying to trigger log message like 404 error
The query includes malciiously crafted text, which Log4j dumbly processes as instructions
These instructions creates
Basically logging is a fundamental feature of most software
and, most often rely on third party apps such as log4j
! Log4j is often deeply embedded in code
! hidden from view due to being called in by indirect dependencies.
Making matters worse, according to CSRB,
“There is no comprehensive ‘customer list’ for Log4j or even a list of where it is integrated as a subsystem.”
Because Log4j is everywhere
Hackers have a large menu of targets to choose from:
As a user, it's hard to know whether a software product you are using includes Log4j and whether it is using vulnerable versions of the software.
However
Make sure all of your software is up to date.