Solution for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation

Description

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.

 

Log4j, a prominent Java-based logging package, was found to have a vulnerability. An attacker can use this flaw to execute code on a remote server. Because Java and Log4j are so widely used, this is possibly one of the most significant Internet vulnerabilities since Heartbleed and ShellShock.

It may be possible for an attacker to gain the entire control of a vulnerable server. It can be used by an unauthenticated remote attacker to target applications that use the Log4j library in default setups.

Details:

CVE: CVE-2021-44228

CVSS: 10.0

Affected version: Log4j 2.0-beta9 up to 2.14.1

Is it Exploitable: Yes

 

An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4j 2.15.0, this behavior has been disabled by default.

Exploitation can be achieved by a single string of text, which can trigger an application to reach out to a malicious external host if it is logged via the vulnerable instance of Log4j, effectively granting the adversary the ability to retrieve a payload from a remote server and execute it locally.

Log4j in a nutshell. From attack to prevention.

What is Log4j?

Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache web servers and spring-Boot web applications.Log4j is used as a logging package in a variety of different popular software by several manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. 

Atpresent .Net projects are not affected which is a good news. 🙂

1 Comment

Leave a Comment