Abstract
Log4j vulnerability was publicly disclosed on December 10, 2021, and it is considered the most severe security breach of all time. Hundreds of millions of devices were vulnerable to attackers executing malicious code remotely on any target device. For that reason, the name Log4jShell was given to the vulnerability. This article is going to talk about the impact that has on the world. Black-Hat Hackers leveraging log4jShell for personal gain. How federal governments, security researchers, security companies responded, and organizations protect themselves. A practical section that shows how a Log4j vulnerability can be discovered and exploited. Showing a methodology to look for log4jShell on a large scope to then explain how to exploit by manual testing in one application.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Christey S, Martin RA (May 2007) Vulnerability type distributions in cve. Mitre report
CrowdStrike. Overwatch exposes aquatic panda in possession of log4shell exploit tools during hands-on intrusion attempt (2021)
Cybertalk. Log4j protecting your organization from dynamics threats. (2021)
Everson D, Cheng L, Zhang Z (2022) Log4shell: Redefining the web attack surface
A. S. Foundation. Log4j – changes. Computer (2021)
https://nvd.nist.gov/vuln/detail/CVE 2021-44228. Cve 2021-44228. nvd nist (2021)
https://twitter.com/CNBC/status/1471532296905887749. Cisa director jen easterly. Twitter (2021)
https://www.bleepingcomputer.com/news/security/microsoft-iranian-hackersstill-exploiting-log4j-bugs-againstisrael/. Microsoft: Iranian hackers still exploiting log4j bugs against Israel. Bill Toulas (2022)
https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j2-vulnerabilities-in-unpatched-systems-to-target-israeliorganizations/. Mercury leveraging log4j 2 vulnerabilities in unpatched systems to target Israeli organizations. Microsoft (2022)
Laszka A, Zhao M, Malbari A, Grossklags J (2018) The rules of engagement for bug bounty programs. In: International Conference on Financial Cryptography and Data Security, pp 138–159. Springer, Cham
Mahmood MA, Siponen M, Straub D, Rao HR, Raghu T (2010) Moving toward black hat research in information systems security: an editorial introduction to the special issue. MIS Q 34(3):431–433
L. McDaniel, E. Talvi, and B. Hay. Capture the flag as cyber security introduction. In 2016 49th hawaii international conference on system sciences (hicss), pages 5479–5486. IEEE, 2016.
Notess GR (2002) The wayback machine: the web’s archive. Online 26(2):59–61
N. I. of Standards and Technology. Nvd - cve-2021–44228. Computer (2021)
Pastrana S, Suarez-Tangil G (2019) A first look at the crypto-mining malware ecosystem: A decade of unrestricted wealth. In: Proceedings of the Internet Measurement Conference, pp 73–86
Ramadhan RA, Aresta RM, Hariyadi D (2020) Sudomy: information gathering tools for subdomain enumeration and analysis. In: IOP Conference Series: Materials Science and Engineering, vol 771, p 012019. IOP Publishing
Rudolph A (2022) What is log4j and why did the government of Canada turn everything off? Computer
Salahdine F, Kaabouch N (2019) Social engineering attacks: a survey. Future Internet 11(4):89
Wetter J, Ringland N (2021) Understanding the impact of apache log4j vulnerability Computer
Acknowledgements
“This work is funded by National Funds through the FCT - Foundation for Science and Technology, I.P., within the scope of the project Ref UIDB/05583/2020. Furthermore, we would like to thank the Research Centre in Digital Services
(CISeD), the Polytechnic of Viseu, for their support.”
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ferreira, P., Caldeira, F., Martins, P., Abbasi, M. (2023). Log4j Vulnerability. In: Rocha, Á., Ferrás, C., Ibarra, W. (eds) Information Technology and Systems. ICITS 2023. Lecture Notes in Networks and Systems, vol 692. Springer, Cham. https://doi.org/10.1007/978-3-031-33261-6_32
Download citation
DOI: https://doi.org/10.1007/978-3-031-33261-6_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33260-9
Online ISBN: 978-3-031-33261-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)