Introduction:

On December 10, 2021 details of the Apache Open-Source Project Log4j Remote Code Execution Vulnerability CVE-2021-44228 were made public. It was called Log4Shell (CVE-2021-44228) and it allows an attacker to execute arbitrary code on a target server. It is considered very serious for the following reasons – it is simple to exploit, upon exploitation an attacker could get full access to a server, and the ability of the vulnerability to easily affect millions of devices, due to the widespread use of Log4j. Adobe, IBM, Broadcom, VMware are some of the vendors who were impacted by this vulnerability.

Log4j2 is an upgraded version of Log4j, the open-source logging component of Apache. Rich feature set was introduced by rewriting Log4j. This log component is used to record log information in program input and output, and it is widely used in business system development. There is a Lookup function in Log4j2, which allows developers to read the configuration in the corresponding environment through some protocols. This vulnerability is triggered when the program logs user-entered data in a log. An attacker can use the content of the keyword as a variable to replace the attack command if the log content contains the keyword “${“

Severity Score

In the Vulnerability Score Database “NATIONAL VULNERABILITY DATABASE”, this vulnerability has a score of 10.0. 10.0 is the highest score, meaning that this vulnerability has the highest level of severity.

Detecting Log4j attacks

Log4j attacks can be detected at various stages of the attack.

1. IPS signatures can be updated to detect JNDI payload.

2. SIEM devices can be used for performing log inspection.

3. Antimalware solutions can be used to prevent from downloading and installing of ransomwares

How to identify if your organization needs to take action

1. If your organization has Log4j as part of a running application or service that is exposed to a network, which can be used as a vector to launch the attack. This network can be either an internal network or an external network, like the internet.

2. If your organization does not have the application Log4j running, but it is being used for processing or back-ups, your systems are vulnerable and could be attacked.