DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • How Dangerous Is Log4Shell and How it Affects the Java Industry?
  • Buildpacks: An Open-Source Alternative to Chainguard
  • Improving Java Code Security
  • Empowering Developers Through Collaborative Vulnerability Management: Insights From VulnCon 2024

Trending

  • Power BI Embedded Analytics — Part 2: Power BI Embedded Overview
  • Integrating Security as Code: A Necessity for DevSecOps
  • The Role of Functional Programming in Modern Software Development
  • Enhancing Security With ZTNA in Hybrid and Multi-Cloud Deployments
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. How To Detect and Secure Your Java App From Log4j Vulnerabilities

How To Detect and Secure Your Java App From Log4j Vulnerabilities

A large number of organizations were affected by the recent security breach involving Log4j. Learn here how to ensure your applications are safe and secure.

By 
Suyash Joshi user avatar
Suyash Joshi
·
Jan. 10, 22 · Tutorial
Likes (8)
Comment
Save
Tweet
Share
5.9K Views

Join the DZone community and get the full member experience.

Join For Free

Apache Log4j is the popular open source logging library for Java developers that was recently caught up in a massive security-related breach. Due to its popularity, a large number of organizations were affected by the breach. For the latest news, refer to the official website about specific issues and patches. Here is an additional article that explains the core issues in detail.

List of Security Issues That Were Found in Log4j Version 2.x:

  1. CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability  (Severity - Moderate)
  2. CVE-2020-9488: Improper validation of certificate with host mismatch in Apache Log4j SMTP appender (Severity - Low)
  3. CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints (Severity - Critical)
  4. CVE-2021-45046: Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations (Severity - Critical)
  5. CVE-2021-45105: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation (Severity - Critical)
  6. CVE-2021-44832: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration (Severity - Moderate)

4 Ways To Secure Your Java Application:

1.  Detect if You Have Log4j 2.x in Your Code Base 

Apache Log4j can be in your project directly or a dependency of a dependency. Thus, it's best to use a build tool such as Maven or Gradle to quickly scan for the same tree as follows:

Maven:

 mvn dependency:tree -Dincludes=org.apache.logging.log4j

Gradle:

 .\gradlew dependencies --configuration=testRuntimeClasspath | find "log4j"

Alternatively, you can also use an open source tool like Log4jScanner, but this does a brute force check. It is important to note that not all of the log4j.jars are vulnerable, especially if you're using the updating version of the library (see #3)

2.  Beef Up Security Tests and Monitoring

Because security is an ongoing process, attackers are always on the prowl for any kind of vulnerability.  Therefore, make sure your application and architecture are not only secure by following secure coding best practices, but also test for attacks on a regular basis. It is also vital to have a monitoring system as simple as alerts when security tests fail.

Tools especially to detect Log4j Bugs:

Huntress Log4Shell Vulnerability Tester Tool:

  • You simply copy and paste the generated JNDI syntax (the code block ${jndi[:]ldap[:]//....presented below) into anything: application input boxes, frontend site form fields, logins such as username inputs, or if you are a bit more technical, even User-Agent or X-Forwarded-For or other customizable HTTP headers.
logger.error("${jndi:ldap://log4shell.huntress.com:1389/<your-unique-identifier-from-log4shell.huntress.com>}");
  • Check the results page to see if it received any connection, and verify the detected IP address and timestamp to correlate with when you tested any service.
  • If you see an entry, a connection was made and the application you tested is vulnerable.

Test if Your Application Was Already Attacked by Running These Commands:

https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b or using run this Python tool.

3.  Update Log4j 2.x Library 

If you are using the Apache Log4j library, make sure to update to the latest version, as the above-listed security vulnerabilities have been patched. This is the best measure at the moment.

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 or latest (for Java 8 and later).

4.  Setup Web Application Firewall (WAF) 

Web Application Firewall scans every incoming request for indications of bugs, like remote code execution, by comparing the request data against a set of precompiled rules. There are open source WAF for Java, and if you host your application on the Cloud, check WAF that your cloud vendor provides and make sure it's up to date. 

By following the steps above, you can sleep with peace of mind knowing your applications are safe and secure for now.

Log4j security Java (programming language) Vulnerability Application firewall Open source app

Opinions expressed by DZone contributors are their own.

Related

  • How Dangerous Is Log4Shell and How it Affects the Java Industry?
  • Buildpacks: An Open-Source Alternative to Chainguard
  • Improving Java Code Security
  • Empowering Developers Through Collaborative Vulnerability Management: Insights From VulnCon 2024

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!