How is uKnowva secured from the Log4j RCE vulnerability CVE-2021-44228

Apache Log4j is a Java based logging utility. Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups which resulted in allowing Remote code execution and a backdoor entry to hackers.

Are uKnowva Servers affected by this?

uKnowva runs on LAMP stack and this vulnerability has affected Apache servers running Java. Since we are running Apache for PHP and are not using any Java utilities, we had very low or almost zero exposure to this vulnerability.

For instances that are running On our cloud, we have a confirmation from AWS too where our complete cloud infrastructure is setup that the Java packages that comes by default installed in their EC2 instances are not affected by Log4j. You may refer this for more details: https://aws.amazon.com/security/security-bulletins/AWS-2021-005/

For instances that are running on premises, we recommend getting this checked by your infrastructure team also once

To Know more about Log4j and how to detect and protect yourself from it, please read the below documentation

What Is Log4j?


A reliable method for debugging software during its development lifecycle entails inserting log statements into code. Log4j is one such logging library for Java, which is both reliable and flexible.
Developed and maintained by the open-source Apache Software Foundation, Log4j can run across all major platforms including Windows, Linux, and Apple's macOS.


How Is Log4j Used?


Logging is crucial in software development as it indicates the state of the system at runtime.
Needless to say, developers use Log4j during different phases of development. It is also used in online games, enterprise software, and cloud data centers.

There are three basic components known as loggers, appenders, and layouts that make up Log4j; all work in conjunction to serve the purpose of logging in a systematic manner.


What Is the Log4j Vulnerability?


The Log4j vulnerability can leave the systems that incorporate Log4j open to outside intrusions, making it easy for threat actors to weave their way inside and get privileged access.

This vulnerability always existed and was overlooked when discovered back in 2020. However, Apache has now officially disclosed this vulnerability inside the Log4j library after a LunaSec researcher identified it in Microsoft's Minecraft.

And since then, more attackers have naturally started to exploit it, turning this previously ignored (or so it seems) vulnerability into something more serious in a short amount of time.


Which Systems and Devices Are at Risk?


All major Java-based enterprise software and server uses the Log4j library. Due to its widespread use across software applications and online services, many services are vulnerable to this exploit.

It can pose risks to any device running Apache Log4j versions 2.0 to 2.14.1 and accessing the internet.

Patching and Updates:

Identify internet-facing devices running Log4j and upgrade them to version 2.15.0.


Which Systems and Devices Are Not at Risk?


The system in which log4j is not installed or not used any Java based appliction are not affected with log4j.
All the centos6 & centos7 versions doesn't come with java package or JRE package bydefault.

Amazon EC2
The versions of Log4j available in the Amazon Linux 1 and Amazon Linux 2 repositories are not affected by CVE-2021-44228.

Official apache org mentioned that how we mitigate this vulnerability.

Log4j 1.x mitigation
Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation
Java 8 (or later) users should upgrade to release 2.17.0.

Refer: https://logging.apache.org/log4j/2.x/security.html


How to Protect Yourself From the Log4j Vulnerability.


Patching and Updates
Identify internet-facing devices running Log4j (mainly 2.x versions) and upgrade them to version 2.15.0.
Java 8 (or later) users should upgrade to release 2.17.0.
Java 7 users should upgrade to release 2.12.2.

 

Was this Article helpful?