A new remote code execution (RCE) bug could be making businesses in Asia-Pacific vulnerable to Log4Shell log injection attacks, according to Barracuda.
Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications used by many companies and organisations.
The vulnerability enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j 2. Affecting the most widely used logging framework on the internet, this vulnerability has been given the highest severity rating possible on the National Vulnerability Database, and also by the Apache Software Foundation, due to the ease with which malicious attackers can exploit it.
Logging is a critical component of most applications and systems because it allows developers and system administrators to verify that software is working properly and identify more specific details when it is not.
Log injection is possible when user-controlled input is logged without sanitation, and while this can have several consequences, from data leaks to log forgery or denial of service attacks, remote code execution (RCE) is one of the most severe outcomes, allowing an attacker to execute code within an application to gain access and privileges available to the application itself. This can result in data breaches, while also allowing attackers a convenient way to penetrate a network and even compromise systems and resources outside of what the application is able to access.
“These kinds of attacks are often overlooked, which makes them particularly dangerous, posing a threat to both data and network security, Mark Lukie, Systems Engineer Manager, Asia-Pacific, Barracuda.
“Any application using logging – even if not using log4j 2 or even Java – should be checked for possible log injection attacks and proper data sanitisation practices. The best way to protect against log4shell specifically is to upgrade to the latest version of log4j. However, for long-term against RCE threats, businesses need to find the right Web Application Firewall (WAF) and WAF-as-a-Service solutions to protect against log injection attempts, including those related to ‘Log4Shell’.”