Log4Shell – Log4j RCE Vulnerability

Description

Yesterday, 12/09/2021, it was discovered that companies utilizing an Apache logging component “log4j” are susceptible to a malicious zero-day vulnerability. Any Apache server or application that uses the Log4j2 library with Apache Log4j2 versions greater than 2.0 and less than 2.14.1 is vulnerable. The vulnerability allows an unauthorized actor to inject code into the Log4j library to achieve remote control of a system.

Indicators of Compromise (IOCs)

• If you are running the Apache Log4j version that is greater than 2.0 and less than 2.14.1 you are vulnerable.

• A text search of your Apache and/or application log files for “jndi” and combined with a protocol such as LDAP, or DNS (examples:”jndi:ldap” or “jndi:dns”) may indicate that an attack was successful.

• If the system is behaving in a non-standard or unusual way. It has been reported that most of the attacks are introducing cryptominers.

• Check the firewall logs to determine if there are communications initiated from suspect systems to the Internet that is unexpected.

• For applications that it is not known if the Log4j component is used, search across your clients and servers running Linux, Mac and Windows, looking for files named log4j*.jar. If it exists, then most likely that system is running an application that uses that component.

• There is a list of vulnerable applications listed. Check to see if an application you are utilizing is listed here.

Containment

1. For Apache servers, upgrade to Apache Log4j 2 version 2.16.0. https://logging.apache.org/log4j/2.x/download.html

2. For systems that cannot be immediately or easily patched, there is a direct mitigation for the vulnerability that can be applied by enabling the execution flag of log4j2.formatMsgNoLookups

   1. For applications executed through the Java Virtual Machine (JVM), this would take the form of a JVM argument of: -Dlog4j2.formatMsgNoLookups=true

3. Put your system/application behind a web application firewall (WAF). A WAF will protect against this injection attack.

4. Implement firewall rules that prevent your server from calling out to the internet. If the server can’t make the TCP connection in the first place, it can’t download anything either.

5. You may need to contact you application vendor for a patch or containment instructions.

Remediation

1. If IOCs are present, the system will need to be inspected along with firewall logs to determine the activity and communications that are present.

2. A system inspection may identify additional programs or files that were introduced during the attack such as cryptominers.

3. Execute a full malware scan, ensuring your antivirus definitions are current beforehand.

4. Consider a system rebuild. It is recommended a system image is maintained prior to rebuild if an investigation is warranted a later date.