Log4j Issue And The Nightmare Of Java Developers | CodersTea
Home Java Log4j Issue And The Nightmare of Java Developers

Log4j Issue And The Nightmare of Java Developers

by Imran Shaikh
2306 views
Log4j Issue And The Nightmare of Java Developers

Planning to party Friday Night. Everything was ready. Waiting for your friend’s call to pick you up. The phone rings, without seeing you pick up the call in excitement, “Hey Bro, Kaha tak pohcha” (Where have you reached so far). “Sorry?”, the person replied, “I am MR XYZ from your company ABCD Tech. We have raised an Incident Ticket of Log4J Issue for a major Log4j Security Vulnerability in Java applications”.

The excitement vaporized in the thin air instantly. After the call, a big sigh. Went back to the table, opened the laptop, discussing solutions with other sad faces.

The story is dramatic, but this was basically most of us Java Developers on the 2nd weekend of December 2021. Log4J is such a common library in Java projects that the affected applications count to millions (and people say Java’s dead 🤷‍♂️).

After updating the library, we got another bad news. The last update is still vulnerable. So we needed to update it again.

So let us see what actually happened since then and where are we now. What is this issue all about, how it is affecting us developers, and whats the latest fix for this.

Before diving into the details, I just want to say a Big Thank You to Security Experts for discovering this Log4J issue and Apache Foundation for fixing the issue in the library.

The Stampede caused by Log4J Issue: CVE-2021-44228

The CVE-2021-44228, AKA Log4Shell, allows attackers to take control over Java application servers via Log4J. The attacker can exploit this Log4J issue with messages passed to it. Following is a short video I found on how one can exploit this Log4J issue very easily. They can do so with the help of an LDAP server and command passed to it.

Log4j issue (CVE-2021-44228) RCE Vulnerability Explained

The severity of the vulnerability is huge, This simple exploitation can affect the systems from Amazon Web Services to indie developers tiny servers. As I said, Log4J is such a common library that almost more than half of these servers are vulnerable or might have been exploited already.

Due to the huge presence of Java on the Server-side, this has caused every organization to update their system ASAP. The non-public or standalone applications are not too vulnerable compare to their server-side companion, but one must update it as attackers can attack from anywhere.

Nightmares for Legacy System’s Developer

For the latest project which must have been using Maven or Gradle and following best practices along with CI&CD, can fix the patch easily. But this is a nightmare for legacy systems in particular huge monoliths. These systems are so huge that updating them requires so much work. Now whoever is working on this might not be sleeping peacefully. I know I may be exaggerating but one of the projects I worked on previously was only 4-5 years old, but updating something on it was a total nightmare. Now I can’t imagine projects older than 10-12 years.

Do let me know in the comment how was your day/night solving this issue.

Finally Fixed, But Wait there is More Log4J Issue

After the patch for the Log4J issue was fixed on Log4j version 2.15, there was still some part of the original vulnerability left. It was CVE-2021-45046. Apache worked on it and released another patch in version 2.16. Cool, now it seemed to be settled. The second time was not that bad, because you now already know how to update from the last fix.

But boom there is another update needed for CVE-2021-45105. Apache promptly jump to the rescue and released the latest patch (as of now) 2.17. But I hope it’s the last one. As we need some break time in Christmas especially Apache guys.


You can follow me on social media via @coderstea on TwitterLinkedinFacebook, or Instagram. We also share high-quality videos about programming on our Youtube channel. You can also publish your post on CodersTea, just share your thought on Contact Us or let us know in the comments.


The TimeLine for Log4j Issue

Following is the timeline for the Log4j Issue. When the Log4J issue or Log4J security vulnerability was detected when was the fix for it was released.

DateWhat HappenedFixed In Version
24 Nov 2021Security researcher Chen Zhaojun of Alibaba reported the vulnerability to Apache foundation2.15
6 Dec 2021Apache Released fix for CVE-2021-442282.15
9 Dec 2021Discovered Attacks on Minecraft’s servers since 1 Dec2.15
13 Dec 2021Apache released a fix for CVE-2021-450462.16
17 Dec 2021 Apache released a fix for CVE-2021-451052.17 (latest)
Log4j Issue Timeline

The information I collected above is from various sources, the major one is https://www.dynatrace.com/news/blog/what-is-log4shell/.

Conclusion for Log4J issue

Yes, it was a rollercoaster ride at the end of the year. You, me, and everyone else let us just hope there is no more vulnerability. Let us enjoy Christmas and New Year with happiness. On that note, as I am writing this on Christmas Eve, Merry Christmas to you all, and wish you Happy New year.

See you in the next post. HAKUNA MATATA!!!

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More