Blog

Log4j Vulnerability, Impact, Fix FAQ-IBM's Jesse Gorzinski explains

Jesse Gorzinksi, a senior business architect at IBM in the United States, said, "We will answer FAQs about security vulnerabilities in Log4Shell." (Log4Shell Part 1: Answering FAQs on the Log4Shell) Security Vulnerability) has been published. Translated and posted with his permission.

text: Jesse Gorzinski IBM

Many of you are familiar with the recently announced security vulnerabilities in Log4j (also known as Log4Shell, LogJam). Exploiting this vulnerability is easy and allows an attacker to execute code remotely. This is a problem that cannot be ignored.

We have prepared two series of articles to help you understand the essence of this issue. As Part 1, this article introduces answers to frequently asked questions.

Q: Where can I find the official documentation for this vulnerability?

This vulnerability has been assigned the ID "CVE-2021-44228". Like most security vulnerabilities, it is recorded in the National Vulerability Database (NVD: Editorial Department * Note 1). The official NVD documentation can be found here.

* 1 NVD is a vulnerability management database operated by the US government.

Q: Which OS does the Log4Shell vulnerability affect?

Since this is a Java vulnerability, it affects Java applications running on any OS. It does not affect the specific OS itself, it only affects the Java programs running in it.

Q: How can my Java program fix the problem?

The Log4j vulnerability requires a Java application running on your system to be fixed. Follow the steps below.

Step 1: Disable Log4J Lookup feature

In log4j 2.10 and later versions, you can disable the Log4J Lookup feature by setting the Java system property "log4j2.formatMsgNoLookups" to "true". Alternatively, you can use the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable. On IBM i, this can be done with ADDENVVAR.

ADDENVVAR ENVVAR (LOG4J_FORMAT_MSG_NO_LOOKUPS) VALUE ('true') REPLACE (* YES) LEVEL (* SYS)

I also wrote a small shell script to apply this temporary (and incomplete) remedy (Editor * Note 2).

* Note 2 Jesse Gorzinski publishes information related to IBM i open source on "The Prez / IBM iOS S-utils" on GitHub. The above shell script is available here.

If the above environment variables are set, this vulnerability does not occur in Log4j version 2.10.0 or later. For your reference, version 2.10 was first released in November 2017. Optimistically, applications built or updated after that will run 2.10, so it should be safe if the Lookup feature is disabled.

Setting LOG4J_FORMAT_MSG_NO_LOOKUPS is less likely to cause confusion and is a good workaround while you explore other remedies.

Step 2: Check Log4j usage in your application

It's great if you're constantly taking inventory of which open source software your application is using. If not, try your best to find an instance of Log4j on your system.

My colleague Scott Forstie recently announced SQL to find all files in IFS that have the string "log4j" in the filename (Editor * Note 3). Alternatively, you can install the findutils package to take advantage of the updatedb and locate packages. This is a great start, but with the following caveats:

* Note 3 Click here for Scott Forstie's post on GitHub.

-For example, the Log4j to SLF4J adapter could be named "slf4j-log4j12-1.7.25.jar". Note that you are most interested in files in the format "log4j-.jar" or "log4j-core-.jar". -Also, when using updatedb or locate, it is not possible to find an instance of Log4j embedded in an archive of another format. For example, if your web application is deployed in a web archive (.WAR) file, it will not detect Log4j. However, you can also modify the query to look for the desired file type in order to find Java programs that require further investigation.

The most comprehensive analysis involves investigating all Java programs and their dependencies. However, you may be thinking, "I don't know what's working!" But you need to know what workloads are running on your system and where they are. WRKJVMJOB is also useful. That's the best starting point Production workloads are the primary attack vector for outside hackers.

Step 3: Log4j upgrade

Upgrading Log4j to version 2.16.0 (or later) is the best choice. Log4j uses semantic versioning, so upgrading from other 2.x versions is a low-risk operation.

Q: What should I do with Java programs that are not developed in-house?

See this blog for impacts on IBM products. We publish the latest information about IBM products and services (here). Contact your software vendor for third-party products that use Java.

Q: Do I need to worry about this security vulnerability?

Log4jの脆弱性、影響、修正方法に関するFAQ ~IBMのジェシー・ゴルジンスキー氏が解説

This type of security vulnerability is a major threat. When an application's vulnerability is exposed, it can be easily attacked by a malicious entity. Evaluate your security, keeping in mind that you may have the following situations:

-The application you are using must be running a vulnerable version of Log4j.-An attacker must be able to send malicious data to your application.· Your application must be able to make new outbound communications to malicious servers

In addition, if you're not using a vulnerable version of the library, it can't be exploited by an attacker. For example, if you don't use the Log4j library to get logs such as HTTP request headers and chat messages, the risk is avoided.

On IBM i, many applications use the Apache HTTP server to record HTTP request data rather than the back-end Java application. The Apache HTTP Server is not written in Java and will not be published here. However, this kind of evaluation is difficult, so you still need to analyze the software stack and keep patches like Log4j updates up to date.

Q: What can we learn from addressing the Log4j vulnerability?

Open source software is essential, but it requires proper due diligence, including risk assessment, utilization planning, and mitigation measures. The Log4j vulnerability imposes some important best practices for managing open source software. In Part 2, we'll talk about some techniques to keep your organization's software safe and secure the future (on the i Magazine site, we'll show you as soon as Part 2 is available).

Source: Log4Shell Part 1: Answering FAQs on the Log4Shell Security Vulnerability https://techchannel.com/Trends/12/2021/log4shell-part-1

Author | Jesse Gorzinksi

IBM Senior Business Architect, Open Source Software on IBM i

Blog: ibm.biz/open-your-i, Twitter: @IBMJesseG

IBM's experienced business architect. A specialist on the IBM i platform and an open source driver. Be obsessed with digital transformation and don't hesitate to introduce new technologies! That is. Legend has it that he wrote a program that works perfectly with a single coding. He is also a master of dog belly massage, Mario Kart, and the best Liege waffles on the Atlantic coast of the United States (from LinkedIn's profile).

◎ Related articles

・ Follow-up-3 | Db2 (federation function), IBM COS, Cognos, QRadar, Guardium, etc.-IBM announces products and services affected by Log4j vulnerability ・ Follow-up-2 | IBM MQ, Power HMC, IBM Sterling File Gateway is also affected by the Log4j vulnerability IBM announces products affected by the Log4j vulnerability-Follow-up-1 | SPSS, Netezza, and Netcool are also affected by the Log4j vulnerability-IBM releases the latest information-Java-based log output library "Log4j" Severe vulnerabilities in ~ WebSphere and Watson Explorer are also affected, cloud services are under investigation and IBM.Each company is also investigating and responding

[I Magazine / IS magazine]

Hot Articles

How to Save Websites as PDF on iPhone or PC | Business Insider Japan

How to Save Websites as PDF on iPhone or PC | Business Insider Japan

Sign up for a free e-mail newsletter We'll send you a Business Insider Japan e-mail newsletter at 17:00 on weekdays. Check the terms of use You can save the website as a PDF from various web browsers including Safari on iPhone. Photo: Takuma Imamura Web page suddenly ...

READ MORE READ MORE
Yahoo! News Digitalizing the traditional "small pattern dyeing" pattern Crisis of disappearance, challenge of long-established president

Yahoo! News Digitalizing the traditional "small pattern dyeing" pattern Crisis of disappearance, challenge of long-established president

In the file in front of Mr. Atsushi Tomita, a well-preserved paper pattern is included so that it is not exposed to the air as much as possible. To prepare for digitization and prevent deterioration = Taken by Hiroyuki Kondo on the morning of December 10, 2021 at Tomita Dyeing Crafts in Shinjuku-ku, Tokyo ...

READ MORE READ MORE
 It's okay if you forget to record the news!How to see the famous scenes of the Olympics later on your smartphone

It's okay if you forget to record the news!How to see the famous scenes of the Olympics later on your smartphone

Explaining how to use the archive distribution The Tokyo Olympics attracts attention not only for players' play but also for unique commentary. Even if you miss it even though it became a hot topic, or if you did not record it, you can do it at your favorite timing later ...

READ MORE READ MORE

Related Articles