Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE In Log4j Logging Library?
December 14, 2021
|
6m

How To Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE In Log4j Logging Library?


How To Fix Cve 2021 44228 Log4shell Vulnerability In Log4j Logging Library

Cybersecurity Researchers disclosed a new highly critical 0-day vulnerability in Apache Log4j that is being exploited in the wild. The vulnerability tracked as CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. Since the vulnerability is highly critical and it can be easily exploited just by sending a line of text, it is highly important to fix the CVE-2021-44228 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Apache Logging Library.

What Is Log4j Library?

Log4j is a logging framework written in Java and distributed under the Apache Software License. It is predominately used to capture, format, and publish the logging information produced by systems and applications to multiple destinations.  It has three different components to perform its activities.

  1. Loggers: Captures logging information.

  2. Appenders: Publishes logging information to multiple destinations.

  3. Layouts: Format logging information in different styles.

Summary Of CVE-2021-44228 Log4Shell Vulnerability:

The 0-day flaw CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. The vulnerability is considered highly critical since it can be easily exploited just by sending a line of specially crafted code.

Apache Foundation said in an advisory that “Apache Log4j <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Associated CVE IDCVE-2021-44228
DescriptionUnauthenticated Remote Code Execution vulnerability in Log4j Logging Library
Associated ZDI IDNA
CVSS Score10.0 Critical
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Impact of the CVE-2021-44228 Log4Shell Vulnerability:

Threat actors can abuse this vulnerability to perform a wide range of cyberattacks such as deploying coin miners, supply chain attacks, deploying malware like remote access trojans and ransomware, remote code execution, arbitrary code execution, and denial of services.

Who Are Impacted By The CVE-2021-44228 Log4Shell Vulnerability?

Log4j library is used as a logging platform in multiple popular applications such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. Anybody who uses the vulnerable version of Log4j in their application is prone to the attack. Please go through the list of affected applications by the vulnerability.

Products Affected:

Log4j Versions Vulnerable To The CVE-2021-44228 Log4Shell Vulnerability:

The CVE-2021-44228 Log4Shell Vulnerability affects almost all Log4j 2 versions are affected.2.0-beta9 <= Apache log4j <= 2.14.1

Log4j version 1 is not affected by the flaw. However, it is affected by a different remote code execution vulnerability.

How To Fix CVE-2021-44228 Log4Shell Vulnerability?

However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.

Mitigation Actions:

Different versions will have different mitigation advisories. Loot at the table below:

>=2.10The vulnerability can be mitigated just by setting system property “log4j2.formatMsgNoLookups” to “true”. This can be achieved in either ways:

1. Pass as a JVM Flag: Pass this as an argument when you invoke Java
# java -Dlog4j2.formatMsgNoLookups=true
OR
2. The environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true.
JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true java
OR
JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true
>=2.7 and <=2.14.1All “PatternLayout” patterns can be modified to specify the message converter as “%m{nolookups}” instead of just “%m”.
<=2.10.0the mitigation is to remove the “JndiLookup” class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
OR
Patch the JNDI: https://news.ycombinator.com/item?id=29507263
OR
Use Log4jHotPatch tool to update the JNDI patch automatically.
<1.xIt is not confirmed that v1 is also vulnerable. However, it is vulnerable to another RCE CVE-2019-1757 vulnerability. We recommend upgrading to v2.15.0.

Note: It has been stated that setting com.sun.jndi.rmi.object.trustURLCodebase to false would mitigate the CVE and this is false by default in Java 8u121 however this information has been removed so it is no longer believed this is a sufficient mitigation.

Network IOCs:

Block the below IOCs on Firewalls, Proxies, and other Security Monitoring solutions and keep track of them if any connection is established/observed with them in the Infrastructure.

IP addresses and domains that have been observed in Log4j exploit attempts

134[.]209[.]26[.]39199[.]217[.]117[.]92pwn[.]af188[.]120[.]246[.]215kryptoslogic-cve-2021-44228[.]comnijat[.]space45[.]33[.]47[.]24031[.]6[.]19[.]41205[.]185[.]115[.]217log4j[.]kingudo[.]de101[.]43[.]40[.]206psc4fuel[.]com185[.]162[.]251[.]208137[.]184[.]61[.]190162[.]33[.]177[.]7334[.]125[.]76[.]237162[.]255[.]202[.]2465[.]22[.]208[.]7745[.]155[.]205[.]233165[.]22[.]213[.]147172[.]111[.]48[.]30133[.]130[.]120[.]176213[.]156[.]18[.]247m3[.]wtfpoc[.]brzozowski[.]io206[.]188[.]196[.]219185[.]250[.]148[.]157132[.]226[.]170[.]154flofire[.]de45[.]130[.]229[.]168c19s[.]net194[.]195[.]118[.]221awsdns-2[.]org2[.]56[.]57[.]208158[.]69[.]204[.]9545[.]130[.]229[.]168163[.]172[.]157[.]14345[.]137[.]21[.]9bingsearchlib[.]com45[.]83[.]193[.]150165[.]227[.]93[.]231yourdns[.]zone[.]hereeg0[.]rudataastatistics[.]comlog4j-test[.]xyz79[.]172[.]214[.]11152[.]89[.]239[.]1267[.]205[.]191[.]102ds[.]Rce[.]ee38[.]143[.]9[.]7631[.]191[.]84[.]199143[.]198[.]237[.]19

(Ab)use of listener-as-a-service domains.These domains can be false positive heavy, especially if these services are used legitimately within your network.

interactsh[.]cominteract[.]shburpcollaborator[.]netrequestbin[.]netdnslog[.]cncanarytokens[.]com

This IP is both a listener and a scanner at the same time. Threat hunting for this IOC thus requires additional steps.

45[.]155[.]205[.]233194[.]151[.]29[.]154158[.]69[.]204[.]9547[.]254[.]127[.]78

Permanent Fix:

This CVE-2021-44228 Log4Shell Vulnerability is fixed in Log4j 2.15.0.  The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.

This is how you need to fix the CVE-2021-44228 Log4Shell Vulnerability on your affected servers.

We hope this post would help you Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr,  Medium & Instagram, and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe