Firewire security: Log4j2 epic vulnerabilities spread to 60,000+ open source software worldwide

Apache Log4j2 is a Java-based logging tool. The log framework is widely used in business system development to record log information.

Recently, Log4j2 was exploded with an epic exploit with extremely low cost and great harm. Hackers can control the target device by sending a command. As a basic log component, Log4j2 is used at the bottom by a large number of basic services. According to statistics, this vulnerability affects 60,000+ popular open source software and affects more than 70% of enterprise online business systems! The software has been bypassed by hackers many times after the official release of the vulnerability repair patch. Almost all major Internet companies have been rushing to deal with the vulnerabilities overnight to avoid hacking incidents. I did not expect that the road was high and the magic was high, and the repair was just completed. Was immediately bypassed by hackers 😭.

In recent years, major threats and vulnerabilities have appeared frequently:

• In 2014, the heart dripping blood leaked the heart of 2/3 of the world’s websites
• In 2017, the Eternal Blue vulnerability put millions of hosts at risk of being attacked by ransomware
• In 2021, Log4j2 vulnerabilities once again affected more than 70% of enterprise systems on the Internet

There is no doubt that these major vulnerabilities have tightened the strings of Internet companies and users of their applications.

01 A fatal blow to open source software

After the FireWire security team conducted a comprehensive analysis of Log4j2 and the affected open source components, they were shocked by the harmfulness of the vulnerability. Components such as MyBatis and Hibernate in Java ORM are all affected. In Java applications, database operations are basically performed through ORM. Therefore, as long as applications involving database operations, there is a risk of being attacked, which is very harmful. major.

After analyzing the official Maven warehouse, we found that among the basic components like Java ORM, there are hundreds of thousands of them at risk of being attacked, affecting the versions of millions of components. Due to space reasons, this article will show risky components through different dimensions.

At present, we are still continuing to organize and analyze the data. According to incomplete statistics, on Github, there are a total of open source projects released 321094 software packages are at risk, affecting many famous projects of mainstream open source foundations.

In the current data, the top 10 Stars are:

​
Among the open source projects under the Apache Foundation, the Top 10 affected by the Log4j2 vulnerability are as follows:

​
In the Java development framework, the Top 10 affected by Log4j2 are as follows:

​
The above data comes from the Apache Log4j2 vulnerability impact query system provided by FireWire Security: https://log4j2.huoxian.cn.

02 Technical realization

Log4j2 is usually used as a component dependency of the Maven/Gradle project and is introduced into the project to print logs. In this investigation process, we analyzed all the data of the official Maven warehouse, and performed correlation analysis on the data based on various relationships such as direct reference and indirect reference, and finally sorted out the full amount of component data affected by Log4j2;

Then perform a correlation analysis between the affected components and the open source projects in Github, and find the open source project and project information corresponding to each component.

03 Technical support

In view of the urgency of fixing vulnerabilities, FireWire Security will provide all enterprises with free and strong technical support. You can go through: https://log4j2.huoxian.cn for online investigation or add FireWire assistant's WeChat to get FireWire security free absolute defense solutions, and FireWire security experts full technical support.

​

About FireWire Safety

FireWire Security is a community-based cloud security company that mainly operates the IAST and FireWire security platforms. Through self-developed automated testing tools and a large number of white hat security experts, it helps companies solve the security risks of the entire application life cycle. "Dongtai" is the world's first open source IAST product, focusing on DevSecOps, helping companies discover and solve the security risks before the application goes live. "FireWire Security Platform" is the world's first community-based security crowd-testing platform. Nearly 10,000 white hat security experts are registered to provide enterprises with credible security crowd-testing services. FireWire’s security products and concepts have won investments from Dr. Qi Lu, Matrix Partners China, and Wuyuan Capital, a world-renowned technology leader, and represent clients including Bytedance, Meituan, Baidu, China Telecom, Bank of China, Sinopec and many other Internet giants. Factories and state-owned enterprises.

FireWire Security Platform official website: huoxian.cn

Dongtai official website: dongtai.io