Urgent Vulnerability Notice: Log4Shell

By Michelle Drolet

Founder & CEO

Ms. Drolet is responsible for all aspects of business for Towerwall. She has more than 24 years of,

Read More

What You Need to Know:

Security teams are in a hurry to patch an unknown active vulnerability that was found in Apache’s Log4j and is now named Log4Shell. Log4j is a Java-based open-source library used by apps and services, and the newly found vulnerability could allow an attacker to compromise millions of devices across the internet. The first proof-of-concept of the vulnerability was published on GitHub yesterday, Dec 9, 2021, and attackers are actively scanning the internet looking for vulnerable servers.

Log4Shell (CVE-2021-44228) allows remote code execution (RCE) on vulnerable servers, which gives the attacker the ability to import malware that would compromise machines. Almost every network security system runs on some kind of logging process, which means a popular library like log4j has a vast reach. Logging is a process in which applications keep a running list of activities they have performed that can later be reviewed in case of an error. Millions of applications use Log4j for logging and if an attacker has the app, he can compromise it by logging a special string of characters. Additionally, it would be relatively easy for an attacker to seize control of targeted servers.

Initially seen on sites hosting Minecraft servers, attackers discovered the vulnerability could be triggered by hosting chat messages. Apple iCloud and a gaming platform called Steam have already been found to be vulnerable. Versions of Log4j affected by the flaw are as follows:

  • 2.0-beta9 up to and including 2.14.1

Apache Log4j released a new version of the software (2.15.0) within one day of the compromise surfacing. Applications using Apache Struts, iCloud, Steam, Twitter, Cloudflare, Amazon, and the Tesla website are all vulnerable. This vulnerability has a critical score of 10.0 and it is advised that you patch immediately. This is a rapidly evolving situation where known affected products and detection methods are still being discovered.

Although home users have turned aware from Java-based software, popular games like Minecraft still use it. The vulnerability was initially reported to Apache by an Alibaba Cloud Security team member in November 2021. CVE-2021-44228 impacts default configurations for the following Apache frameworks:

  • ApacheStruts2
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • Apache Flume
  • Apache Kafka
  • Apache Dubbo and possibly many more

Essentially, all companies that use any of the above products are vulnerable to Log4Shell attacks, including Amazon, Twitter, Steam, Tencent, Baidu, DIDI, JD, NetEase, and thousands more.

 

Towerwall Recommendations:

  • Please patch your devices as soon as possible with the latest version of Log4j. Apache has released version 2.15.0 here.
  • Apache Log4j recommends the following temporary mitigation if upgrading is not possible:
    • In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
    • For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
  • Towerwall recommends that your organization complete inventory and assessment of internally developed code and external vendor tools.

 

Detection Methodology:

  • Monitor network traffic for communication with known IPs/domains exploiting this vulnerability (see IOCs section)
  • Configure NIDS devices with known Log4shell snort/suricata rules
  • Search Java application logs for the following regex string: \$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+

 

Currently Known Affected Software:

  • Druid
  • ElasticSearch
  • Minecraft
  • Struts2
  • Ghidra
  • Solr
  • Apple
  • Steam
  • Tesla
  • Twitter

 

YARA Rules:

Get the rules here

 

 

Indications of Compromise (IoCs):

As this situation continues to develop, new IOCs will be added to the following links:

 

REFERENCES:

 

 

If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.