What Is Log4j And Why Should You Know About It?

Log4j is a Java-based logging utility originally written by the software developer Ceki Gülcü, who is also the founder of other open-source projects, including CAL10N, reload4j, logback, and SLF4J. Many developers use Log4j today – or its successor Log4j 2 – in order to keep track of what happens in their software applications or online services. It’s essentially a huge journal of the activity of a system or application, allowing developers to keep an eye out for issues for users.

There is much more to know about Log4j, which we are going to delve into. You should also be aware of its benefits and downsides.

What is Log4j?

The Apache Software Foundation released Log4j in 2001. It is one of several Java logging frameworks. Log4j records events, including errors and routine system operations, and then communicates diagnostic messages about these to both system administrators and users. It’s open-source software.

A common example of Log4j in action is when you type in or click on a bad web link and you get a 404 error message as a result. The web server that runs the domain of the web link you tried to access alerts you that no such webpage exists. In addition, it records this event in a log for the server’s system administrators who are using Log4j.

Software applications will use similar diagnostic messages. As a case in point, Log4j is used in the online game Minecraft to log activity, such as total memory used and the user commands typed into the console.

Log4j is one of the most widely used logging libraries in the Java ecosystem. Open-source projects that appear to use Log4j by default include:

Elasticsearch
Grails
Hadoop
Kafka
Kibana
Solr
Spark
Struts
Tapestry
Wicket

Then there are projects that don’t seem to use Log4j by default but which may be optionally configured to use it. These include:

ATG
Dropwizard
Hibernate
Java Server Faces
Spring Framework
Tomcat

The Benefits of Log4j

Here are some of the advantages to using Log4j:

In contrast to manual logging, Log4j allows you to decouple your logging code from what you actually want to log and where and how you want to log it
Good logging infrastructure without needing to dedicate a lot of effort
The ability to categorize logs at different levels (i.e. trace, debug, warn, error, fatal)
The ability to direct logs to different outputs (e.g. to a file, console, or a database)
It lets you define the format of output logs
You can write asynchronous logs, which helps to increase the performance of the application
It insulates you from having to make code changes to support logging
Since Log4j is widely used in Java logging, there are lots of tools available

The Disadvantages of Log4j

Since Log4j’s inception, vulnerabilities in the internet infrastructure have appeared, allowing hackers to exploit it. Log4Shell is an internet vulnerability affecting millions of computers, involving Log4j. Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, has called Log4Shell the most serious vulnerability she’s come across in her career. Already, we have seen hundreds of thousands of attempts from hackers to exploit this vulnerability. Organizations and governments are likely to be affected by this.

Log4Shell works by abusing a feature of Log4j that lets users specify custom code for formatting a log message. This feature allows you to, for instance, log not only the username linked with each attempt to log in to the server but also the user’s real name if there is a separate server holding a directory linking usernames and real names. To achieve this, the Log4j server needs to communicate with the server holding the real names.

The problem, however, is that this kind of code can be used for much more than simply formatting log messages. Log4j lets third-party servers submit software code that can perform a variety of actions on the target computer, which unfortunately can include nefarious actions like stealing private information, taking control of the targeted system, and exposing malicious content to other users who are communicating with the affected server.

It’s also not even that difficult to exploit Log4Shell. Santiago Torres-Arrias, assistant professor of electrical and computer engineering at Purdue University, writes, “There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it.”

Log4Shell is a major concern among cybersecurity experts because Log4j is so widespread. As well as being used in popular games like Minecraft, cloud services like Apple iCloud and Amazon Web Services (AWS) use it, as do various software development tools and security tools. As a result, hackers have many options when it comes to their targets: home users, service providers, source code developers, and even security researchers. Large corporations like Amazon will be able to quickly patch their web services and prevent cybercriminals from exploiting them, however, there will be many organizations that will need more time to patch their systems, then there are others that might not even know that doing so is necessary.

Based on the vulnerabilities of Log4j, you should:

Check your systems for the use of Log4j
Update to the latest version of Log4j to ensure that you have the most up-to-date security patches
Check the list of vulnerable software
Set web application firewall rules
Check for exploitation

Organizations must always make sure that all of their software is up to date. It’s also crucial to have a team of cybersecurity experts that are aware of which software products are using Log4j, what its vulnerabilities are, and how to best protect an organization against them.

Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.