Rewterz Threat Update – Apache Log4j Security Flaw – A Zero-Day for the Entirety of the Internet

Severity

High

Analysis Summary

CVE-2021-44228 

The Apache Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the LDAP JNDI parser. The security guide of Apache suggests that Apache Log4j2 <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. Controlled log messages or log messages by the attacker can be executed for arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

The vulnerability allows for Remote Code Execution and access to servers.

“This is a worst-case scenario. The combination of Log4j’s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet. The immediate action is to stop what you’re doing as a software shop and enumerate where log4j exists and might exist in your environment and products. It’s the kind of software that can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.” – Bugcrowd Founder and CTO Casey Ellis

Log4j vulnerability’s attack surface is growing by the minute. The logging package had flaws that enabled it to execute arbitrarily formatted strings of code. Interestingly, the vulnerability was discovered through Minecraft servers. This vulnerability poses a cosmic threat to the entirety of the internet because logging user data is one of the first most basic steps required in modern digital infrastructure. Therefore, an exploit could trample your systems, in the blink of an eye.

Impact

• Remote Code Execution

Remediation

1. Enumerate any external-facing devices that have log4j installed.
2. Install WAFs (web application firewall) and specify rules that automatically update on alerts regarding the devices mentioned above.
3. Upgrade your log4j versions to log4j-2.15.0-rc1.
4. Run scans to see if your environment is patched for the vulnerability, also make sure that “you” are the one that patched it.

• Disable suspicious outbound traffic, such as LDAP and RMI on the server in firewall.
• Disable JNDI lookup.
• Remove the JndiLookup file in the log4j-core and restart the service.
• Setup spring.jndi.ignore=true
• Users are advised to update to Log4J version v2.15.0 which can found here:
• https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
• Cisco affected products list:
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
• Redhat affected products list:
• https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
• Vmware affected products list:
• https://www.vmware.com/security/advisories/VMSA-2021-0028.html