Apache Log4j RCE Vulnerability

Threat Overview

On Friday, December 10, 2021, a previously unknown zero-day vulnerability targeting Java logging library Apache Log4j was actively exploited in the wild. Now tracked as CVE-2021-44228, the implications of this vulnerability are still actively being researched.

What Does This Mean to Our Partners? This zero-day allowed unauthenticated remote code execution (RCE) if the user was running the application and accessing the Java logging library. It enabled attackers to gain full control of affected servers. An attacker who could control log messages or log message parameters could then execute arbitrary code loaded from LDAP servers when message lookup substitution was enabled. Given the widespread use of this library and how easy the vulnerability is to exploit, its impact was noted as severe.

Several proof of concepts (POC) have since been released and exploitation is currently being observed. This vulnerability impacts the majority of Java applications and must be patched immediately to prevent exploitation from remote unauthenticated attackers.

How to Protect Yourself and Your Clients

We urge our readers to patch as soon as possible. Many applications have pushed patches for their software. We highly recommend that organizations upgrade to the latest version of Apache Log4j 2 (2.16.0-rc2) for all systems and applications.

Patching should be prioritized. If patching is not possible, here are some possible mitigations:

1. In Log4j 2 versions 2.10 to 2.14.1, set the system property “log4j2.formatMsgNoLookups” to “true” to disable to vulnerable features.

2. For releases 2.0-beta9 to 2.10.0, remove the JndiLookup class file from the classpath in log4j-core. Example path: (/log4j/core/lookup/JndiLookup.class)

3. Outbound Egress Filtering to prevent suspicious LDAP and RMI outbound traffic.

Threat Intelligence

The following list of external links has been thoroughly reviewed by Blackpoint SOC and serves as a general recommendation for next steps after patching as well as ongoing, collaborative threat intel coming in from the greater InfoSec community.

From Blackpoint Cyber:

We have observed two IPs across our customer base that are attempting exploitation of vulnerable servers. We recommend that you block these IPs immediately:

• 5.157.38[.]50

• 45.155.205[.]233

From GreyNoise:

GreyNoise has published a list of IPs observed scanning for this vulnerability found here:

• https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217

From National Cyber Security Centrum (NCSC-NL):

The NCSC-NL has published a list of all known vulnerable and non-vulnerable software impacted by the Log4J vulnerability found here:

• https://github.com/NCSC-NL/log4shell/tree/main/software

From Datto:

Datto has released their Log4Shell Enumeration, Mitigation & Attack Detection Tool that can be used to scan and uncover software impacted by this vulnerability:

• https://github.com/datto/log4shell-tool

From N-able:

N-able has released a tool that scans for potentially vulnerable software found here:

• https://github.com/N-able/ScriptsAndAutomationPolicies/blob/master/Vulnerability%20-%20CVE-2021-44228%20(Log4j)/get-log4jrcevulnerability.ps1

From Florian Roth (via GitHub):

The Log4shell-Detector tool created by author Florian Roth may be found here:

• https://github.com/Neo23x0/log4shell-detector

Get More Information

• NIST’s National Vulnerability Database – CVE-2021-44228

For more information on how Blackpoint's 24/7 MDR keeps you one step ahead contact sales@cyberhub.biz

Author: Blackpoint Cyber

https://blackpointcyber.com/blog/apache-log4j-rce-vulnerability/?utm_campaign=Threat-Updates&utm_content=190955144&utm_medium=social&utm_source=twitter&hss_channel=tw-3392676269