Log4J JNDI Exploit¶
What is Log4J?¶
Log4J is the most popular logging library in the Java world. It is used everywhere. You can name any company, they are probably using it, if they have services running Java. It is so popular, there are many variants for other languages which were inspired by Log4J.
Each log message is sent to a set of previously configured "appenders" which write or send the data to different locations. This can be a file, database or many others.
The exploit was submitted to Apache by Alibaba on November 24, 2021. It was then published in a tweet on December 9, 2021. The vulnerability was given the descriptor "Log4Shell" and CVE number CVE-2021-44228. It was also given the maximum CVSS score: 10/10. This marks it as very severe, as it is used by millions of servers and computer around the world.
Log4J supports lookups. This allows for logging information about the system (time, date, version, ...). This can be done with a simple syntax in the message string you give to Log4J when logging something or in the configuration. Your entered string is then evaluated by Log4J and it then replaces your string with some meaningful data, if you asked for it.
I.e. if I want to get the current OS:
This does also work recursively, which means you can nest multiple expressions inside of each other. More on lookups can be found here.
Now, this is kind of a problem, but not a that severe one. We'll come to the real big problem of this exploit later. Take the following example:
You are running a Minecraft server. Someone is joining with a modified client. The client does not send his real name. Instead, he sends this:
This is a lookup, which will also be logged and evaluated when logged in the server logs. Instead of this string, it'll log your own hardware information. Now, this isn't really a big problem. This just means you kind of can't really trust your logs anymore. But we're just getting started.
JNDI is the Java Naming and Directory Interface, which is able to lookup data in other services. These can be LDAP, DNS, RMI and some other servers. This is not a part of Log4J and is included in Java. Don't confuse this.
Such a lookup could look like this:
How can an attacker make use of this? It works like this: Let's take our example with the minecraft server again. The attacker is joining again and is sending a modified player name:
In this JNDI lookup, Log4J will send a request to the LDAP server at totallytrustworthyserver.tk and will send the servers Java runtime information. Now our attacker already knows the exact Java version and distribution we're running.
The LDAP server can also return something, for example a Java object. JNDI will happily accept this response and execute it. Now this is a big problem. Just to rehearse: There is a foreign piece of code with potentially bad instructions in it, that is executed on your server without your knowledge.
As this is a complicated topic, we won't go deeper into this. If you want to learn more, you can find good resources online for further reading.
How do I secure myself?¶
An important rule in the whole IT is to always install the latest security updates. These also include patches like this one here.
If you are using Log4J in your application, make sure to update to version 2.17.0 or later. If you're unable to do this, make sure to
org.apache.logging.log4j.core.lookup.JndiLookup from your classpath.
log4j-core was affected by this vulnerability. If you're only using log4j-api (i.e. in a Minecraft plugin) your project is not affected.
Update your server to the latest version available. Make sure the maintainers have updated their Log4J dependency. Some older versions of some server software may not be maintained anymore. You then have to manually make sure, it's dependency is up to date.
Not only servers were affected by this, everyone was. So was also your Minecraft client (the game). If your version is up to date, there is no need to worry. Versions before 1.7 are not affected. Third-party launchers and clients may not be automatically updated. Make sure the maintainers have updated their Log4J.
Also, take a look at Minecraft's official statement, Spigot's official statement and Instructions for Forge Users.