How the Log4j vulnerability has impacted Magento, and what should you do to prevent a hack?
A critical vulnerability in the Log4j Java library has been taken advantage of since the 1st of December 2021. It's easy to capitalize on, it gives complete control to a remote attacker, and almost every company that uses Java is affected. The attackers have launched mass scanners in the first 48 hours, while most organizations are struggling to identify the affected components in their IT landscape.
The good news for all our clients here at Corefinity is you are safe!
But if you're not hosting with us yet, don't worry. Consider this news bulletin your knight in shining armor.
What is Log4j?
Starting with the basics, Log4j is nothing but a Java framework used by Magento developers to track the numerous activities within an application.
What is the Log4j vulnerability?
The major flaw in Log4j is that it allows a hacker to strategically send a malicious code string that gets logged by Log4j version 2.0 or higher, enabling the hacker to take control by loading arbitrary Java code on a server.
What does it mean for my Magento hosting?
The good news is Magento is not written on Java, so it is not directly vulnerable. However, your store may use Java-based components that are susceptible to the attack.
What should you do to protect yourself from the Log4j vulnerability?
First, upgrade your Magento to the latest version. Next, you should upgrade any Java-based components as soon as possible. Which are these, you ask? Here's a comprehensive list:
ElasticSearch – Versions 6.8.9 and 7.8+, running on Java JDK9+, are NOT at risk. Older ES or JDK versions like ES5 will allow remote code execution or the leaking of server variables. ElasticSearch has also launched 6.8.21 and 7.16.1 as new releases, which disable the contested behavior. Consider upgrading to these if you can.
Logstash – This is vulnerable in combination with JDK8 or below.
Solr – Upgrade solr to 8.11.1.
Sumo Logic – This also has a Java agent and hence may be vulnerable.
Other ways to solve the issue
Find and upgrade all the Log4j-vulnerable components to version 2.17 as quickly as possible.
If this is not an option for you, consider the following quick fixes. Remember, however, these are just band-aids for the wound and should not be confused with the actual treatment.
Configure the system to disable vulnerability
Set the JVM flag to log4j2.formatMsgNoLookups=true. This will protect you against some attacks, but it can negatively impact your site's performance and stability, and thus is just a backup.
Protection with Nginx
If you use the Nginx web server, you can filter the attack requests. However, you must have the LUA scripting engine installed for this to work.
Am I under attack already?
If you have the above-mentioned vulnerable components, your system is potentially compromised, and the attackers have probably already injected malware into your system. The most common method of attack is to install zombie agents onto vulnerable systems; these agents are then used later to install crypto miners, skimmers, or ransomware.
What do I do if I believe I'm under attack?
If you've done everything listed above and are still unsure if you're protected, contact us and we'll help you figure it out.
