Cybersecurity Researchers disclosed a new highly critical 0-day vulnerability in Apache Log4j that is being exploited in the wild. The vulnerability tracked as CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. Since the vulnerability is highly critical and it can be easily exploited just by sending a line of text, it is highly important to fix the CVE-2021-44228 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Apache Logging Library.
Table of Contents
What Is Log4j Library?
Log4j is a logging framework written in Java and distributed under the Apache Software License. It is predominately used to capture, format, and publish the logging information produced by systems and applications to multiple destinations. It has three different components to perform its activities.
- Loggers: Captures logging information.
- Appenders: Publishes logging information to multiple destinations.
- Layouts: Format logging information in different styles.
Summary Of CVE-2021-44228 Log4Shell Vulnerability:
The 0-day flaw CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. The vulnerability is considered highly critical since it can be easily exploited just by sending a line of specially crafted code.
Apache Foundation said in an advisory that “Apache Log4j <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
| Associated CVE ID | CVE-2021-44228 |
| Description | Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library |
| Associated ZDI ID | NA |
| CVSS Score | 10.0 Critical |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Impact Score | NA |
| Exploitability Score | NA |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Impact of the CVE-2021-44228 Log4Shell Vulnerability:
Threat actors can abuse this vulnerability to perform a wide range of cyberattacks such as deploying coin miners, supply chain attacks, deploying malware like remote access trojans and ransomware, remote code execution, arbitrary code execution, and denial of services.
Who Are Impacted By The CVE-2021-44228 Log4Shell Vulnerability?
Log4j library is used as a logging platform in multiple popular applications such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. Anybody who uses the vulnerable version of Log4j in their application is prone to the attack. Please go through the list of affected applications by the vulnerability.
Products Affected:
| Manufacturer/Component | Verified |
|---|---|
| Apple | TRUE |
| Tencent | TRUE |
| Steam | TRUE |
| TRUE | |
| Baidu | TRUE |
| DIDI | TRUE |
| JD | TRUE |
| NetEase | TRUE |
| CloudFlare | TRUE |
| Amazon | TRUE |
| Tesla | TRUE |
| Apache Solr | TRUE |
| Apache Druid | TRUE |
| Apache Flink | FALSE |
| Apache Struts2 | TRUE |
| flume | FALSE |
| dubbo | FALSE |
| IBM Qradar SIEM | TRUE |
| PaloAlto Panorama | TRUE |
| Redis | FALSE |
| logstash | FALSE |
| ElasticSearch | TRUE |
| kafka | FALSE |
| ghidra | TRUE |
| ghidra server | TRUE |
| Minecraft | TRUE |
| PulseSecure | TRUE |
| UniFi | TRUE |
| VMWare | TRUE |
| Blender | FALSE |
| TRUE | |
| Webex | TRUE |
| TRUE | |
| VMWarevCenter | TRUE |
| Speed camera LOL | TRUE |
Log4j Versions Vulnerable To The CVE-2021-44228 Log4Shell Vulnerability:
The CVE-2021-44228 Log4Shell Vulnerability affects almost all Log4j 2 versions are affected.
2.0-beta9 <= Apache log4j <= 2.14.1
Log4j version 1 is not affected by the flaw. However, it is affected by a different remote code execution vulnerability.
How To Fix CVE-2021-44228 Log4Shell Vulnerability?
However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.
Mitigation Actions:
Different versions will have different mitigation advisories. Loot at the table below:
| >=2.10 | The vulnerability can be mitigated just by setting system property “log4j2.formatMsgNoLookups” to “true”. This can be achieved in either ways:
1. Pass as a JVM Flag: Pass this as an argument when you invoke Java |
| >=2.7 and <=2.14.1 | All “PatternLayout” patterns can be modified to specify the message converter as “%m{nolookups}” instead of just “%m”. |
| <=2.10.0 | the mitigation is to remove the “JndiLookup” class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class. OR Patch the JNDI: https://news.ycombinator.com/item?id=29507263 OR Use Log4jHotPatch tool to update the JNDI patch automatically. |
| <1.x | It is not confirmed that v1 is also vulnerable. However, it is vulnerable to another RCE CVE-2019-1757 vulnerability. We recommend upgrading to v2.15.0. |
Note: It has been stated that setting com.sun.jndi.rmi.object.trustURLCodebase to false would mitigate the CVE and this is false by default in Java 8u121 however this information has been removed so it is no longer believed this is a sufficient mitigation.
Network IOCs:
Block the below IOCs on Firewalls, Proxies, and other Security Monitoring solutions and keep track of them if any connection is established/observed with them in the Infrastructure.
IP addresses and domains that have been observed in Log4j exploit attempts
134[.]209[.]26[.]39
199[.]217[.]117[.]92
pwn[.]af
188[.]120[.]246[.]215
kryptoslogic-cve-2021-44228[.]com
nijat[.]space
45[.]33[.]47[.]240
31[.]6[.]19[.]41
205[.]185[.]115[.]217
log4j[.]kingudo[.]de
101[.]43[.]40[.]206
psc4fuel[.]com
185[.]162[.]251[.]208
137[.]184[.]61[.]190
162[.]33[.]177[.]73
34[.]125[.]76[.]237
162[.]255[.]202[.]246
5[.]22[.]208[.]77
45[.]155[.]205[.]233
165[.]22[.]213[.]147
172[.]111[.]48[.]30
133[.]130[.]120[.]176
213[.]156[.]18[.]247
m3[.]wtf
poc[.]brzozowski[.]io
206[.]188[.]196[.]219
185[.]250[.]148[.]157
132[.]226[.]170[.]154
flofire[.]de
45[.]130[.]229[.]168
c19s[.]net
194[.]195[.]118[.]221
awsdns-2[.]org
2[.]56[.]57[.]208
158[.]69[.]204[.]95
45[.]130[.]229[.]168
163[.]172[.]157[.]143
45[.]137[.]21[.]9
bingsearchlib[.]com
45[.]83[.]193[.]150
165[.]227[.]93[.]231
yourdns[.]zone[.]here
eg0[.]ru
dataastatistics[.]com
log4j-test[.]xyz
79[.]172[.]214[.]11
152[.]89[.]239[.]12
67[.]205[.]191[.]102
ds[.]Rce[.]ee
38[.]143[.]9[.]76
31[.]191[.]84[.]199
143[.]198[.]237[.]19
(Ab)use of listener-as-a-service domains.
These domains can be false positive heavy, especially if these services are used legitimately within your network.
interactsh[.]com
interact[.]sh
burpcollaborator[.]net
requestbin[.]net
dnslog[.]cn
canarytokens[.]com
This IP is both a listener and a scanner at the same time. Threat hunting for this IOC thus requires additional steps.
45[.]155[.]205[.]233
194[.]151[.]29[.]154
158[.]69[.]204[.]95
47[.]254[.]127[.]78
Permanent Fix:
This CVE-2021-44228 Log4Shell Vulnerability is fixed in Log4j 2.15.0. The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.
This is how you need to fix the CVE-2021-44228 Log4Shell Vulnerability on your affected servers.
We hope this post will help you Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270100.html