Remedy for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

Remedy

The immediate remediation is :

Step 1: any lookup using JNDI find it and just block at the WAF level

Step 2: set log4jformatmsgnolook environment variable or log4j_format_msg_no_lookup variables.

Step 3: 

How to find out your application has any log4j libraries.

Go to target folder for your java application

grep “log4j” *

if you see some jar files then run the following command

jar tvf <name of the jar file> | grep log4j

jar tvf <name of the jar file> | grep log

if you see any log4j core then you are affected. If you see logback core then you are not affected.

What is Log4Shell?

Version 2.15 and earlier of the log4j library is vulnerable to the remote code execution (RCE) vulnerability described in CVE-2021-44228. (Version 2.16 of log4j patches the vulnerability.) Log4Shell is the name given to the exploit of this vulnerability. But what is the vulnerability and why is it so critical? As described in the CVE, the Apache log4j Java library does not properly validate input.

The Java Naming and Directory Interface (JNDI) feature of the log4j library and the Java runtime can be used to perform remote lookups to retrieve data from external sources – such as a username from LDAP or an IP address from DNS – for inclusion in a log entry. Unfortunately, remote attackers can hijack JNDI to execute Java code they have written. The following diagram illustrates the attack.

Mitigations for CVE-2021-44228

  • Install the most recent version of the library, 2.16.0. if possible. You can download it on the project page. If using the library in a third-party product, you need to monitor and install timely updates from the software provider.
  • Follow the Apache Log4j project guidelines.
  • Use a security solution with exploit prevention, vulnerability and patch management components asap.
  •  

Log4j overview related software

https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

What is Log4j?

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and spring-Boot web applications.Log4j is used as a logging package in a variety of different popular software by several manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. 

Summary

The most effective solution to Log4Shell is to patch the application code with log4j version 2.16 or later, which disables JDNI. If that is not immediately possible, a WAF can effectively mitigate against the threat until you have time to apply the patch. If you don’t already have a WAF, you can use our njs script to implement specific protection against the threat. Use the resources below to learn more and select the most appropriate protection for your applications.

Leave a Comment