A1 Journal article (refereed)
On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication (2022)

Juvonen, A., Costin, A., Turtiainen, H., & Hämäläinen, T. (2022). On Apache Log4j2 Exploitation in Aeronautical, Maritime, and Aerospace Communication. IEEE Access, 10, 86542-86557. https://doi.org/10.1109/ACCESS.2022.3198947

JYU authors or editors

Publication details

All authors or editors: Juvonen, Artturi; Costin, Andrei; Turtiainen, Hannu; Hämäläinen, Timo

Journal or series: IEEE Access

eISSN: 2169-3536

Publication year: 2022

Publication date: 16/08/2022

Volume: 10

Pages range: 86542-86557

Publisher: Institute of Electrical and Electronics Engineers (IEEE)

Publication country: United States

Publication language: English

DOI: https://doi.org/10.1109/ACCESS.2022.3198947

Publication open access: Openly available

Publication channel open access: Open Access channel

Publication is parallel published (JYX): https://jyx.jyu.fi/handle/123456789/84864

Abstract

Apache Log4j2 is a prevalent logging library for Java-based applications. In December 2021, several critical and high-impact software vulnerabilities, including CVE-2021-44228, were publicly disclosed, enabling remote code execution (RCE) and denial of service (DoS) attacks. To date, these vulnerabilities are considered critical and the consequences of their disclosure far-reaching. The vulnerabilities potentially affect a wide range of internet of things (IoT) devices, embedded devices, critical infrastructure (CI), and cyber-physical systems (CPSs). In this paper, we study the effects and feasibility of exploiting these vulnerabilities in mission-critical aviation and maritime environments using the ACARS, ADS-B, and AIS protocols. We develop a systematic methodology and an experimental setup to study and identify the protocols’ exploitable fields and associated attack payload features. For our experiments, we employ software-defined radios (SDRs), use open-source software, develop novel tools, and develop features to existing software. We evaluate the feasibility of the attacks and demonstrate end-to-end RCE with all three studied protocols. We demonstrate that the aviation and maritime environments are susceptible to the exploitation of the Log4j2 vulnerabilities, and that the attacks are feasible for non-sophisticated attackers. To facilitate further studies related to Log4j2 attacks on aerospace, aviation, and maritime infrastructures, we release relevant artifacts (e.g., software, documentation, and scripts) as open-source, complemented by patches for bugs in open-source software used in this study.

Keywords: cyber security; wireless data transmission; wireless communication; marine traffic; air traffic; air navigation services; communications satellites; vulnerability; cyber attacks; Apache; Java

Free keywords: CVE-2021-44228; log4j; log4shell; vulnerability; exploitation; experimentation; proof-of-concept; aviation; avionics; ACARS; ADS-B; maritime; AIS; aerospace; satellite

Contributing organizations

Ministry reporting: Yes

Reporting Year: 2022

Preliminary JUFO rating: 2