IT Center Blog

Zero Day Exploit Log4Shell

January 7th, 2022 | by
Warning sign „Security Alert“

Source: Pixabay

On December 10, 2021, an extremely critical, since trivially exploitable, vulnerability (Log4Shell) in the standard library Log4J became public. Since it became known, hackers and security experts have been racing against time. “Successful exploitation of the vulnerability could lead to a complete takeover of the affected system,” warned Arne Schönbohm, President of the German Federal Office for Information Security (BSI).

The list of those who use Log4j and are thus potential targets is long and, because of its use in widely distributed commercial software products, includes not only global companies such as Apple, Google, Tesla and Amazon, but also several German federal authorities and universities. Reason enough for the German Federal Office for Information Security to declare a red alert level: It is an “extremely critical IT security situation”, because “this critical vulnerability potentially impacts all Java applications accessible from the Internet that log parts of user requests using Log4j”. The Internet is extensively scanned by cyber criminals in an automated manner for servers and applications that use Log4j and are thus exposed to the risk of hostile takeover. First detected attacks consisted of installing programs on servers whose computing power was used to multiply cryptocurrencies.

Particularly insidious is the possibility of executing later attacks. Thus, the security gap can serve as preparation for the main attack. In this case, cyber criminals nest themselves in servers through gaps that have not yet been secured and, if necessary, strike later by surprise to take control of larger parts of a network or system. Thus, the extent of this vulnerability only becomes visible much later.

But what exactly is Log4J?

In 1996, at a time when Java standard libraries did not yet have a logging function, Log4J – J for Java was created. Today it has become a de facto standard for many developers and administrators due to its configurability. With the success of the project, it also found application in other programming languages and on countless platforms.

This is so-called open source software. This means that the source code is open and thus experts can examine it and use it freely. However, open source projects are often programmed and further developed by user communities in their spare time. As a result, there is sometimes a lack of regular professional security checks. In 2014, for example, a vulnerability occurred in the widely used open source software component OpenSSL for securing Internet connections. The vulnerability, which became known as Heartbleed, allowed cyber criminals to access login data and sensitive information. This vulnerability was first discovered after 27 months.

Log4Shell also at the RWTH Aachen University

The Zero Day Exploit Log4Shell in the Java logging library Log4J has also affected some systems at RWTH Aachen University. This includes basic services in the area of teaching and collaboration, which are elementary especially in times of home office and online teaching. As a first immediate measure after the security leak became known on December 10, 2021, the IT Center’s systems that were correspondingly at risk were checked and appropriate measures were initiated. This included shutting down certain systems, such as Coscine, DigitalArchive, GigaMove, GitLab, and the RWTH streaming server (Opencast).

After the manufacturers provided information on security-relevant Java settings and patches to close the vulnerability, these were immediately applied to the production system. In all cases, this was preceded by a successful check in the test system. However, due to the high degree of topicality and urgency, not all of the configurations and patches proved to be sufficiently effective, so new updates of these were regularly received.

The currently valid updates have been applied to all affected systems and the corresponding services could be reactivated on 20.12.2021 and 21.12.2021 respectively. The basis for the decision on the order in which the systems were put into operation was not only the priority for teaching and university operations, but also the vulnerability of the respective system and the availability of the necessary patches.

A chronology of events 

  • 21.12.2021 Reactivation of the RWTH streaming server (Opencast)
  • 20.12.2021 Reactivation of Coscine, DigitalArchive, GigaMove and GitLab
  • 16.12.2021 Shutdown of the RWTH streaming server (Opencast)
  • 14.12.2021 Partial commissioning of GitLab
  • 13.12.2021 Shutdown of Coscine, DigitalArchive, GigaMove, GitLab
  • 11.12.2021 Granting of full access to RWTHonline
  • 10.12.2021 Security vulnerability Log4Shell becomes known: Start of scan of vulnerable systems at IT Center and restriction of access to RWTHonline

More information about the Zero Day Exploit Log4Shell can be found on the BSI website [German only].


Responsible for the content of this article are Anastasios Krikas and Nicole Kaminski.

Leave a Reply

Your email address will not be published.