Log4j “Log4Shell” | Vulnerability & Attack Vector
What Is Apache Log4J And Why Is This Library So Popular?
The Apache Software Foundation created Log4j, an open-source logging library written in Java. Developers use Log4j to track what happens in their software applications or internet services. It’s essentially a massive log of a system’s or application’s activities. This practice is known as logging, and it is utilized by developers to keep track of user issues.
Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and many more significant software companies and online services use the Log4j library. Because of the popularity of the library, several information security experts anticipate a substantial surge in attacks on vulnerable servers in the coming days.
Why Is CVE-2021-44228 So Dangerous – Attack Vectors And Observed Activity
On December 9, 2021, a vulnerability known as CVE-2021-44228 was made public. The exploit is simple, easy to trigger, and allows unauthenticated remote code execution. It is triggered when the Log4j 2 vulnerable component parses and processes a specially constructed string provided by the attacker through a range of various input vectors. If attackers are successful in exploiting it on one of the servers, they will be able to run arbitrary code and potentially take complete control of the system. An attacker only needs to persuade the afflicted app to log a certain string. As a result, the flaw has been called “Log4Shell” by researchers. The CVSS score for this vulnerability is 10.0 out of a possible 10. It affects Apache Log4j 2.0-beta9 to 2.14.1.
The simplicity with which CVE-2021-44228 can be exploited makes it particularly dangerous: even a novice hacker can easily exploit this vulnerability. According to the researchers, attackers only need to compel the program to write one string to the log before using the message lookup substitution function to upload their own code into the application.
Mitigation And Detection Guidance
Security teams and network administrators should immediately update to Log4j 2.17.0, using emergency patching and/or incident response procedures to identify affected systems, products, and components and repair this vulnerability as soon as possible. They should also look for jndi:ldap strings in web application logs and local system events on web application servers performing curl and other known remote resource collecting command-line tools. We also recommend that you pay particular attention to security advisories that involve Log4j and prioritize updating such solutions.
Log4j Scanner
This repository has a scanning solution for log4j’s Remote Code Execution flaws (CVE-2021-44228 & CVE-2021-45046). The data and code in this repository are supplied “as is,” having been compiled with the help of the open-source community and updated by CISA in collaboration with the larger cybersecurity community.