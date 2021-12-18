Cybercriminals are actively seeking and exploiting the critical exploitLog4S hell / Log4J (CVE-2021-44228), as we write and at the same time the work of companies and vendors is fervent to mitigate the problem.

Mitigation for Log4J

CERTs from a large number of countries around the world have also been interested in finding ways to manage this cyber threat. The CSIRT nostrano (under the control of the National Cybersecurity Agency), published a methodological analysis on 12 December 2021, with the hitherto known suggestions on mitigation techniques. A series of recommendations always arrived yesterday evening also from Swiss CERT.

The Log4J bug threatens half the internet: here is the urgent fix for companies

Therefore, reporting the analyzes of the IT security experts (for system administrators), the search for this vulnerability, which we remember concerns the server-side infrastructures, the clients (the end users) in fact have no possibility to intervene precisely because it is linked to the application library installed on the server that provides a certain service developed in Java (or with parts developed in Java), it can be done with the following commands (as suggested by the Italian CSIRT):

sudo egrep -i -r ‘$ {jndi: (ldap[s]? | rmi): //[^n]+ ‘/ var / log

sudo find / var / log -name * .gz -print0 | xargs -0 zgrep -E -i ‘$ {jndi: (ldap[s]? | rmi): //[^n]+ ‘

that search for compromise attempts directly on the logs.

As another useful method to search for the vulnerability, within your infrastructure, it is recommended to use tools available online that perform remote scanning: a well-known example is Shodan. With tools like these it is possible to filter by product (with which you work in the searched server) using the strings “product: minecraft”, “product: tomcat” and so on and search by adding the argument “server” which will point to all ” public address of the service being provided and under investigation.

Microsoft in action on Log4J

For Windows systems instead, Microsoft has detailed its guidelines concerning the use of Microsoft 365 Defender, through the dissemination of an advanced search query, aimed precisely at identifying compromise attempts:

CloudAppEvents

| where Timestamp> datetime (“2021-12-09”)

| where UserAgent contains “jndi:”

or AccountDisplayName contains “jndi:”

or Application contains “jndi:”

or AdditionalFields contains “jndi:”

| project ActionType, ActivityType, Application, AccountDisplayName, IPAddress, UserAgent, AdditionalFields

How to protect yourself from Log4j

Given the methods for finding the vulnerability, let’s now see what we can do to protect our infrastructure (critical in this case) from possible malicious exploitation.

It is understood that the best way to intervene is to update the library, which has been immediately fixed by the official team Apache in versions 2.15.0 – 2.13.2 and 2.8.2.

System administrators are well aware, however, that it is not always possible to carry out a sudden update like this within your own application. For all cases in which this is not possible, or the software is not yet ready to receive it, it is advisable for anyone dealing with this library to follow the indications provided by the most important CERTs in the world.

Add the parameter when starting the jvm: -Dlog4j2.formatMsgNoLookups = true; Add the configuration file log4j2.component.properties in the application classpath, with the following content: log4j2.formatMsgNoLookups = true; Set the system environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS = true; Use the following command to remove the JndiLookup class file in the log4j-core package: zip -q -d log4j-core – *. jar org / apache / logging / log4j / core / lookup / JndiLookup.class; Disable JNDI manually, for example with: add spring.jndi.ignore = true in spring.properties; It is recommended to use the higher version of JDK 11.0.1, 8u191, 7u201, 6u211 and above, which to some extent offers protection against RCE exploitation in general.

By way of technical help in addressing this problem, before it becomes a critical infrastructure accident, we would like to point out three very recent useful projects:

a scanner to search for the vulnerability: Log4j-scan ;

; help in identifying the compromise by the exploit: Log4shell-detector ;

; a “vaccine” for already compromised systems, directly from the security company Cybereason ;

; constantly updated list of applications potentially affected by the Log4j vulnerability, relatively complete and detailed.

These six tips are recommended and helpful in solving the problem on a very temporary basis. It is always recommended to upgrade the version of Log4j or work on the currently vulnerable project in order to make the upgrade feasible.

