A critical vulnerability was publicly announced on the 9th of December that affects Apache Log4j which affects all versions of Log4j up to version 2.14.1. The person attributed to discovering the vulnerability is Chen Zhaojun of the Alibaba Cloud Security team. This vulnerability is a serious threat and poses a real-world risk to vulnerable systems.
Log4j is a widely used logging framework distributed under the Apache Software license, certified by the open-source initiative. Log4j has been ported to many common programming languages.
Log4j is widely used by numerous companies including Amazon, Apple, Cisco, Red Hat and a host of other software companies making the attack surface significant, most companies will be vulnerable to an attack. The vulnerability is also trivial to exploit and attackers are already fingerprinting for vulnerable servers and an increase in active exploits are being observed within the security community. Cloudflare and Cisco have indicated that attacks have been observed as early as 1st December before the public announcement of the vulnerability, as such it is important to look for indicators of compromise(IOC) from the beginning of December and possibly earlier.
This is the most serious vulnerability of 2021 and if there was ever a time to mobilize security and technical teams to remediate this is it. There will be exploits of this vulnerability over the coming months that lead to data loss, malware and other successful hacking activity.
What does CVE-2021-44228 do?
Log4j introduced a mechanism called lookups into the framework in log4j v2.x which allows a user to add values to configuration. The functionality supports various types of lookups Including Java Naming and Directory Interface (JNDI). JNDI supports several protocols including LDAP and this allows for malicious Java Classes to be executed on the LDAP server. Attack payloads have also been seen against the DNS schema.
The vulnerability allows for Remote Code Execution (RCE) through messages that are sent to the Log4J processor. These messages upon execution of the content of the content allow for an attacker to potentially take full control of the target system.
Threat mitigation measures
Security firm Threat Huntress has released a free log4j scanner to assess whether a system is open to compromise(Huntress – Log4Shell Tester).
The Apache Logging Service Project has released an update to protect against this vulnerability – Log4j 2.15.0-rc2 ( Release log4j-2.15.0-rc2 · apache/logging-log4j2 · GitHub). It would be advisable to upgrade to the latest version as soon as possible. It is important to check with software vendors to ensure that their software supports the changes or whether they have specific updates for their software. It must be noted that version 2.15-rc1 was released to remediate the vulnerability but a bypass was soon discovered.
Log4j versions between 2.10 and 2.14.1 that cannot be updated to Log4j version can change the JVM startup parameters to include the below parameters. The Java process will need to be restarted for the change to take effect.
-DLog4j2.formatMsgNoLookups=true
Most security software vendors have released signatures to detect and guard against the exploit, apply these updates as soon as possible. The attack methods against this vulnerability will evolve to try and evade security software detection mechanisms, and this must not be implemented as the only line of defense.
Revisit all outbound server connections to ensure that firewall rules explicitly block outbound connections that are not required.
References:
- CVE – CVE-2021-44228 (mitre.org)
- Log4j – Apache Log4j Security Vulnerabilities
- Remote code injection in Log4j · CVE-2021-44228 · GitHub Advisory Database · GitHub
- NVD – CVE-2021-44228 (nist.gov)
- Release log4j-2.15.0-rc2 · apache/logging-log4j2 · GitHub
- Log4j RCE CVE-2021-44228 Exploitation Detection · GitHub
- Huntress – Log4Shell Tester
