LOG4J VULNERABILITY ASSESSMENT AND MITIGATION
What is Log4j?
Log4j, Zero-day exploit the popular Javalogginglibrarylog4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache webservers and Spring-Boot web applications. The vulnerability has been reported with CVE-2021-44228 against the log4j-corejar.CVE-2021-44228 is considered an acritical flaw, and it has a base CVSS score of 10, the highest possible severity rating.
Who is Impacted !!
Too many services are vulnerable to this exploit as log4j is a wild rang used Java-based logging utility. Cloud services like Steam, Apple iCloud, and applications like Minecraft have already been found to be vulnerable.
Anybody using Apache frameworks services or any Spring- Boot Java-based framework applications that uses log4j2 is likely to be vulnerable.
HOW THE EXPLOIT WORKS !!
The exploit works when there is a service or application running with a vulnerable version of log4j2.
An attacker who can control log messages or log message parameters can execute arbitrary code on the vulnerable server loaded from LDAP servers when message lookup substitution is enabled.
Info you have to know about LOG4SHELL exploit!
- Affected Apache log4j2 Versions
- Exploit Requirements
- Exploit Steps
Affected Apache log4j2 Versions 2.0 <= Apache log4j <= 2.14.1
Exploit Requirements
- A server with a vulnerable log4j version.
- An endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string.
- log statement that logs out the string from that request.
Exploit Steps
- Data from the User gets sent to the server (via any protocol),
- The server logs the data in the request, containing the malicious payload.
- The log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via (JNDI),
- This response contains a path to a remote Java class file which is injected into the server process, This injected payload triggers a second stage and allows an attacker to execute arbitrary code.
HOW TO MITIGATE
SPOT VULNERABLE APPLICATIONS
Ask admin/system team to run a search/grep command on all servers to spot any file with the name "log4j2", Then check if it is a vulnerable version or not.
PERMANENT MITIGATION
Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and update your system
TEMPORARY MITIGATION
Add "log4j.format.msg.nolookups=true" to the global configuration of your server/web applications