Apache Log4j is a java based fast, reliable and flexible logging framework. There are a wide range of frameworks, applications, and tools that leverage Log4j such as Apache Struts2, Apache Solr, Apache Flink, Apache Druid, iCloud, Steam, and Minecraft. The worst-case being not everyone knows whether Log4j is being used in their environment. How many of you really knew elasticsearch uses Log4j? Any organization using Java applications or hardware running Log4j < 2.15 is likely vulnerable.
CVE-2021–44228 (Log4Shell) is an unauthenticated Remote Code Execution(RCE) vulnerability & 0-day exploit which allows an attacker to take over a system that uses Apache Log4j 2.0 to 2.14.1. If successfully exploited, attackers can perform RCE and compromise the affected server leading to a full takeover of the system.
To trigger this vulnerability, all the attacker needs to do is get the app to log a special string. The vulnerability gets triggered if the logged string contains any untrusted strings in any part of the logged data. Guess what can be used to log this string to the system? HTTP headers, Usernames, Email addresses and URLs. Put simply, if you fill a form with the name ${jndi:ldap://127.0.0.1:1389/a} and you’re the owner of it. Try applying for a job in a firm having Log4j with the aforementioned name and the least you could get is a full-time job XD. Have you heard of secret santa? Apparently, this is the perfect gift to bad guys from Santa.
Why does this happen?
Researchers concluded that this is a Java deserialization failure because Log4j makes network requests through the JNDI to an LDAP server and executes any code that is returned. The error is triggered within log messages with the use of the $ {} syntax. And apparently it doesn’t affect the system if JNDI cannot load remote code using LDAP. For insights about how the attack works visit this.
Mitigation
If you’re using Java version less than 1.8 & log4j >= 2.10
- Setting the system property formatMsgNoLookups: true
- Set the JVM parameter -Dlog4j2.formatMsgNoLookups=true
- Elasticsearch using log4j-2.10.x can add -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS or /etc/elasticsearch/jvm.options
- Removing JndiLookup class from the classpath
Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021–44228 RCE vulnerability and is recommended to upgrade the vulnerable instances.
Detection
Regex/(\$|\%24)\s*(\{|%7b)\s*jndi\s*(\:|\%3a)/i
ELK index=bro AND http_uri:(\/\$\{jndi\:*)
Network detection using ET Rulesettail 10 < https://rules.emergingthreatspro.com/open/suricata-5.0/rules/emerging-exploit.rules
Splunkindex=* ${jndi:*}
For YARA, visit log4j_rce_detection
IOCs
Try Hunting for these in your environment.
- 194.48.199.78
- 181.214.39.2
- 62.76.41.46
- 45.137.21.9
- CVE-2021–44228_IPs.csv
- Callback Domains
References:
https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228
