The Apache Software Foundation has released fixes to contain an actively exploited zero-day vulnerability affecting the widely-used Apache Log4j Java-based logging library that could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems.
Tracked as CVE-2021–44228 and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1. The bug has scored a perfect 10 on 10 in the CVSS rating system, indicative of the severity of the issue.
Who is Impacted
Too many services are vulnerable to this exploit as log4j is a wild rang used Java-based logging utility. Cloud services like Steam. Apple iCloud, and applications like Minecraft have already been found to be vulnerable.
Anybody using Apache frameworks services or any Spring-Boot Java-based framework applications uses log4j2 is likely to be vulnerable.
Cybersecurity firms BitDefender, Cisco Talos, Huntress Labs, and Sonatype have all confirmed evidence of mass scanning of affected applications in the wild for vulnerable servers and attacks registered against their honeypot networks following the availability of a proof-of-concept (PoC) exploit. “This is a low skilled attack that is extremely simple to execute,” Sonatype’s Ilkka Turunen said.
How does the Exploit Work
The exploit works when there is a service or application running with vulnerable version of log4j2.
Attacker who can control log messages or log message pa ra meters can execute arbitrary code on the vulnerable server loaded from LDAP servers when message lookup substitution is enabled.
Affected Apache log4j2 Versions 2.0 <= Apache log4j <= 2.14.1
Exploit Requirements
- A server with a vulnerable log4j version.
- An end point with any protocol (HTTP, TCP. etc) that allows an attacker to send the exploit string.
- log statement that logs out the string from that request.
Exploit Steps
- Data from the User gets sent to the server (via any protocol),
- The server logs the data in the request, containing the malicious payload.
- The log4j vulnerability is triggered by this payload and the server ma kes a request to attacker.com via (JNDI ),
- This response contains a path to a remote Java class file which is
injected into the server process, - This injected payload triggers a second stage. and allows an
attacker to execute arbitrary code.
Mitigation
Detection
“Ask admin/system team to run a search/grep command on all servers to spot any file with name “log4j2”, Then check if it is a vulnerable version or not”
Permanent Fix
“Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page (here), You can download it and updated on you system”
Temporary Fix
“Add “log4j.format.msg.nolookups=true” to the global configuration of your server/web applications”.
If you like our posts then please share this article with your networks on social networks like linkedIn. Follow Cybermetrics and CybersecurityWeekly.
