Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.

PSA: Log4Shell: Exploiting the Log4J Vulnerability

posted on December 11, 2021 | tags: [ security, psa ]
Hacker News banner image
Just when you thought it was safe to relax for the weekend - Paul Ducklin, Naked Security Author

Log4Shell: A Log4J Vulnerability

A major component used in Java, Apache servers, Log4J is vulnerable to parameter substitution - like SQL injection but via a 3rd party lib. The vulnerability has been labeled 'Log4Shell'.

The Hacker News has a post with a lot of good information here.

Resources

CVE 2021-44228

CVE Report

Detailed analysis by Sophos

Log4Shell explained – how it works, why you need to know, and how to fix it

“Log4Shell” Java vulnerability – how to safeguard your servers

CISA Official Report

I'm not sure how helpful this is for risk mitigation, but it is at least on the federal radar:

Original release date: December 11, 2021

STATEMENT FROM CISA DIRECTOR EASTERLY ON "LOG4J" VULNERABILITY

  1. Enumerate any external facing devices that have log4j installed.

  2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.

  3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

Apache Log4J

Apache Log4J Security

Descripton: Apache Log4j <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property java log4j2.formatMsgNoLookups or the environment variable bash LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all java PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the java JndiLookup class from the classpath: bash zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Quote credit

Quote from Paul Ducklin, Naked Security

Image credit

Image from The Hacker News