Request a Demo
Rewterz
Rewterz Threat Alert – Emotet changes its Tactic to Deploy Cobalt Strike directly – Active IOCs
December 10, 2021
Rewterz
Rewterz Threat Alert – Log4J Vulnerability – Active IOCs In The Region
December 12, 2021

Rewterz Threat Advisory – Log4J Vulnerability Exploited in the wild

Severity

High

Analysis Summary

Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. Security guide of Apache suggests that Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Controlled log messages or log messages by the attacker can be executed for arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

CVE-2021-44228 

Apache could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Java logging library. By sending a specially-crafted string value, an attacker could exploit this vulnerability to execute arbitrary code on the system.

Impact

  • Remote code execution

Affected Vendors

Apache

Affected Products

  • Apache log4j versions between version 2.0 and 2.14.1
  • Apache Struts
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

Indicators of Compromise

IP

45[.]137[.]21[.]9
62[.]76[.]41[.]46
45[.]130[.]229[.]168
171[.]25[.]193[.]20
20[.]71[.]156[.]146
45[.]155[.]205[.]233

MD5

  • 6d275af23910c5a31b2d9684bbb9c6f3

SHA-256

  • 8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81

SHA-1

  • 777c54e96d29a0ed6ddf9698c86afb74322c130f

Remediation

Disable suspicious outbound traffic, such as LDAP and RMI on the server in firewall.
Disable JNDI lookup.
Remove the JndiLookup file in the log4j-core and restart the service.
Setup spring.jndi.ignore=true
Users are advised to update to Log4J version v2.15.0 which can found here:
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
Cisco affected products list:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Redhat affected products list:
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Vmware affected products list:
https://www.vmware.com/security/advisories/VMSA-2021-0028.html