Along with the jingling of Christmas bells, this December, software vendors and cybersecurity professionals had their ears tingled by yet another term: Log4j JNDI vulnerability. The vulnerability paves the way for massive potential cyber security attacks on Java-based applications. Researchers across the globe have already released working proof of concept exploit codes that show the devastating repercussions of a potential attack.
Let’s first understand Log4j and JNDI.
Every application has a logging framework that logs activities performed on it. Log4j, an open-source logging library developed by the Apache Software Foundation, is the logging framework that Java-based applications use. Log4j uses a lookup feature called Java Naming and Directory Interface (JNDI) that consists of an API (Application Programming Interface) and SPI (Service Provider Interface). Several naming and directory services plug in via the SPI, namely DNS, LDAP, NIS, and more. The Java application can access these directory services using the JNDI API.
Since Log4j is a commonly-used framework, the vulnerability could affect all applications that implement Java. According to Oracle Corporation, 97% of all business applications use Java. The range at which attackers can wreak havoc is unimaginable. Most Java-based software uses the Log4j library, which makes for a broader attack surface. Apart from enterprise software, Java gets embedded into a wide range of digital products and services, including routers and servers. However, the attack is dependent on several factors like the version of Log4j, the JVM used, etc.
“zip -q -d log4j-core- *.jar org /apache/logging /log4j /core/lookup /JndiLookup.class”
Since every business is directly or indirectly connected to Java in one way or the other, there is a very high chance of attack if recommended security measures are not taken in time. Attackers just need a single entry point to take down the entire system. Hence, businesses and software vendors must take proper mitigation measures to ensure the vulnerability does not cause any impact.
Small and medium businesses that do not have an in-house security team must consult a cybersecurity team to make sure their systems and networks are not compromised.
Vulnerabilities like the Log4j JNDI cannot be foreseen. Planning ahead, staying updated on the latest cybersecurity measures, and having a cybersecurity team ready can help businesses take necessary actions before it is too late.
We will help you find the right talent, teams and experience to get you where you want to go
Feel free to contact our software engineers to learn how to update your applications to prevent a Log4J JNDI Attack