Log4J Vulnerability explained
For the last couple of weeks, it is been over my head to write about the recent Log4j vulnerability exploit.
On December 9, 2021, an Remote Code Execution vulnerability was disclosed within the log4j package (CVE- 2021–44228) by Chen Zhaojun of the Alibaba Cloud Security Team which allows an attacker to execute arbitrary code on machines that utilize the log functions of the log4j package which gave the vulnerability its common name: Log4Shell.
How does the exploit happen??
CVE-2021–44228 vulnerability in Apache Log4j 2. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j. The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services including:
- Lightweight Directory Access Protocol (LDAP)
- Secure LDAP (LDAPS)
- Remote Method Invocation (RMI)
- Domain Name Service (DNS)
If the vulnerable server uses log4j to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server. Successful exploitation could lead to RCE.
Mitigation and Patching
- Implement a firewall with scrutinized port allowance and logging.
- Block the traffic at the network layer.
- Limiting the suspected device’s communication for internal and external communication over the internet.
- Isolate and quarantine the device for security purposes.
- Updating the device to Log4j version of 2.15 or above
- setting the environment parameter values to Log4j2.formatMsgNoLookups=true and LOG4J_FORMt_msg_no_lookups=true, so that disables the LookUps.
the Log4j 2 library is known to communicate with other sources and internal directory services, attackers can easily feed Log4j 2 with malicious executable code from the outside and make it download and execute dangerous code from malicious sources.
The bad guy can execute any code on the attacked system, for example, to access sensitive configuration data. Attackers could gain full control of a system and compromise its data and applications.