What Is Log4Shell? The Log4j Vulnerability Explained
A new vulnerability that impacts devices and applications that use Java has been identified in Log4j, the open-source Apache logging library. Known as Log4Shell, the flaw is the most significant security vulnerability currently on the internet, with a severity score of 10-out-of-10. Fortunately, Perforce static analysis and SAST tools — Helix QAC and Klocwork — can help.
Here, we explain what the Log4j vulnerability is, provide a Log4j example, and explain how a SAST tool like Klocwork can help prevent and detect vulnerabilities, like Log4Shell.
Read along or jump ahead to the section that interests you the most:
- What Is Log4j?
- What Is Log4Shell: The Log4j Vulnerability Explained
- What Devices and Applications are Vulnerable to Log4Shell?
- How Klocwork Detects the Log4j Vulnerability
- How to Prevent the Log4j Vulnerability with Klocwork
➡️ Stop the Log4j Vulnerability with Klocwork
What Is Log4j?
Log4j is a Java library for logging error messages in enterprise applications, which includes custom applications, networks, and many cloud computing services.
In addition, it is used by a large percentage of the Java programs developed in the last decade for both server and client applications.
What Is Log4Shell: The Log4j Vulnerability Explained
Log4Shell, also known as CVE-2021-4428, is a high-severity vulnerability that affects the core function of Apache Log4j2.
The vulnerability enables an attacker to perform remote code execution. This allows them to:
- Access the entire network through the affected device or application
- Run any code
- Access all data on the affected device or application
- Delete or encrypt files
The affected version, Log4j version 2 (Log4j2), is included in:
- Apache Struts2
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- Spring-Boot-starter-log4j2
- Swift frameworks
What Devices and Applications are Vulnerable to Log4Shell?
If a device that is connected to the internet runs Apache Log4j, versions 2.0-to-2.14.1, then they are vulnerable to Log4Shell.
How to Detect and Prevent the top Software Security Vulnerabilities
Log4Shell is only one of many potential security vulnerabilities. Find out how to effectively detect and address the top security vulnerabilities.
How Klocwork Detects the Log4j Vulnerability
As a static analysis and SAST tool, Klocwork inspects your source code for design and coding flaws that could make your device or application vulnerable, like a tainted data problem. Klocwork can track tainted, untrusted, or otherwise suspicious data along all possible execution paths in your code, including Log4Shell (CVE-2021-4428).
Right “out of the box”, Klocwork’s SV.LOG_FORGING checker detects tainted data being passed to logging applications. A small knowledgebase file, available from Perforce Support, extends the checker to detect the Log4j vulnerability.
In addition, Klocwork features an integration with Secure Code Warrior, which helps provide remediation guidance to these types of defects, as well as additional software security training. Secure Code Warrior highlights security vulnerabilities and provides guidance on how to fix those errors.
How to Prevent the Log4j Vulnerability with Klocwork
Now that you better understand what the Log4j vulnerability is and how Klocwork can identify it, here is a Log4j example. In addition, we provide a step-by-step guide to demonstrate how Klocwork helps you to detect and remediate this serious exploit.
1. Use the Klocwork SV.LOG_FORGING Checker
To use Klocwork’s SV.LOG_FORGING checker: Go to the application’s Klocwork Portal project to add the knowledgebase file and confirm that the SV.LOG_FORGING checker is enabled.
The extension adds Log4j methods to SV.LOG_FORGING's list of dangerous destinations for tainted data. This allows you to identify the Log4j vulnerability, Log4Shell.
2. Locate the Log4j Vulnerability
Once the whole application integration analysis is complete, any errors or vulnerabilities will be highlighted.
The sequence below highlights how log forging is possible and enables an attacker to take advantage of log records in order to manipulate them:
1 public class Test2 implements HttpHandler {
2 static Logger log = LogManager.getLogger(Test2.class.getName());
3 public void handle(HttpExchange he) {
4 String apiVersion = he.getRequestHeaders().getFirst("X-Api-Version");
5 log.info("Api Version:{}", apiVersion);
6 }
7 }Once the analysis is complete, Klocwork will report on the vulnerability on line #5.
3. Prevent Log4j Vulnerability Defects
Apache has released a new version of Log4j — version 2.16 — which does not contain the Log4Shell vulnerability.
In addition, if you cannot update to the latest version, Apache has provided solutions to mitigate the Log4j vulnerability.
In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Stop Vulnerabilities — Like Log4Shell — with Klocwork
Log4Shell is a concerning software security vulnerability and — unfortunately — it is not the only one. It is just one example of the types of vulnerabilities that CWE-117 and OWASP A10:2017 can help highlight.
By using a SAST tool, like Klocwork, you can easily enforce software security standards — like CWE, OWASP, and CERT — to better detect, prevent, and eliminate software security vulnerabilities, like Log4Shell.
Experience first-hand how simple Klocwork makes it to safeguard your software by identifying vulnerabilities as early as possible. Register for a free trial today.