Planning to party Friday Night. Everything was ready. Waiting for your friend’s call to pick you up. The phone rings, without seeing you pick up the call in excitement, “Hey Bro, Kaha tak pohcha” (Where have you reached so far). “Sorry?”, the person replied, “I am MR XYZ from your company ABCD Tech. We have raised an Incident Ticket of Log4J Issue for a major Log4j Security Vulnerability in Java applications”.
The excitement vaporized in the thin air instantly. After the call, a big sigh. Went back to the table, opened the laptop, discussing solutions with other sad faces.
The story is dramatic, but this was basically most of us Java Developers on the 2nd weekend of December 2021. Log4J is such a common library in Java projects that the affected applications count to millions (and people say Java’s dead 🤷♂️).
After updating the library, we got another bad news. The last update is still vulnerable. So we needed to update it again.
So let us see what actually happened since then and where are we now. What is this issue all about, how it is affecting us developers, and whats the latest fix for this.
Before diving into the details, I just want to say a Big Thank You to Security Experts for discovering this Log4J issue and Apache Foundation for fixing the issue in the library.
The Stampede caused by Log4J Issue: CVE-2021-44228
The CVE-2021-44228, AKA Log4Shell, allows attackers to take control over Java application servers via Log4J. The attacker can exploit this Log4J issue with messages passed to it. Following is a short video I found on how one can exploit this Log4J issue very easily. They can do so with the help of an LDAP server and command passed to it.
The severity of the vulnerability is huge, This simple exploitation can affect the systems from Amazon Web Services to indie developers tiny servers. As I said, Log4J is such a common library that almost more than half of these servers are vulnerable or might have been exploited already.
Due to the huge presence of Java on the Server-side, this has caused every organization to update their system ASAP. The non-public or standalone applications are not too vulnerable compare to their server-side companion, but one must update it as attackers can attack from anywhere.
Nightmares for Legacy System’s Developer
For the latest project which must have been using Maven or Gradle and following best practices along with CI&CD, can fix the patch easily. But this is a nightmare for legacy systems in particular huge monoliths. These systems are so huge that updating them requires so much work. Now whoever is working on this might not be sleeping peacefully. I know I may be exaggerating but one of the projects I worked on previously was only 4-5 years old, but updating something on it was a total nightmare. Now I can’t imagine projects older than 10-12 years.
Do let me know in the comment how was your day/night solving this issue.
Finally Fixed, But Wait there is More Log4J Issue
After the patch for the Log4J issue was fixed on Log4j version 2.15, there was still some part of the original vulnerability left. It was CVE-2021-45046. Apache worked on it and released another patch in version 2.16. Cool, now it seemed to be settled. The second time was not that bad, because you now already know how to update from the last fix.
But boom there is another update needed for CVE-2021-45105. Apache promptly jump to the rescue and released the latest patch (as of now) 2.17. But I hope it’s the last one. As we need some break time in Christmas especially Apache guys.
You can follow me on social media via @coderstea on Twitter, Linkedin, Facebook, or Instagram. We also share high-quality videos about programming on our Youtube channel. You can also publish your post on CodersTea, just share your thought on Contact Us or let us know in the comments.
The TimeLine for Log4j Issue
Following is the timeline for the Log4j Issue. When the Log4J issue or Log4J security vulnerability was detected when was the fix for it was released.
|Date||What Happened||Fixed In Version|
|24 Nov 2021||Security researcher Chen Zhaojun of Alibaba reported the vulnerability to Apache foundation||2.15|
|6 Dec 2021||Apache Released fix for CVE-2021-44228||2.15|
|9 Dec 2021||Discovered Attacks on Minecraft’s servers since 1 Dec||2.15|
|13 Dec 2021||Apache released a fix for CVE-2021-45046||2.16|
|17 Dec 2021||Apache released a fix for CVE-2021-45105||2.17 (latest)|
The information I collected above is from various sources, the major one is https://www.dynatrace.com/news/blog/what-is-log4shell/.
Conclusion for Log4J issue
Yes, it was a rollercoaster ride at the end of the year. You, me, and everyone else let us just hope there is no more vulnerability. Let us enjoy Christmas and New Year with happiness. On that note, as I am writing this on Christmas Eve, Merry Christmas to you all, and wish you Happy New year.
See you in the next post. HAKUNA MATATA!!!