• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE In Log4j Logging Library?
How to Fix CVE-2021-44228 Log4Shell Vulnerability in Log4j Logging Library

Cybersecurity Researchers disclosed a new highly critical 0-day vulnerability in Apache Log4j that is being exploited in the wild. The vulnerability tracked as CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. Since the vulnerability is highly critical and it can be easily exploited just by sending a line of text, it is highly important to fix the CVE-2021-44228 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Apache Logging Library.

What Is Log4j Library?

Log4j is a logging framework written in Java and distributed under the Apache Software License. It is predominately used to capture, format, and publish the logging information produced by systems and applications to multiple destinations.  It has three different components to perform its activities.

  1. Loggers: Captures logging information.
  2. Appenders: Publishes logging information to multiple destinations.
  3. Layouts: Format logging information in different styles.

Summary Of CVE-2021-44228 Log4Shell Vulnerability:

The 0-day flaw CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. The vulnerability is considered highly critical since it can be easily exploited just by sending a line of specially crafted code.

Apache Foundation said in an advisory that “Apache Log4j <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Associated CVE IDCVE-2021-44228
DescriptionUnauthenticated Remote Code Execution vulnerability in Log4j Logging Library
Associated ZDI IDNA
CVSS Score10.0 Critical
VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact ScoreNA
Exploitability ScoreNA
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Impact of the CVE-2021-44228 Log4Shell Vulnerability:

Threat actors can abuse this vulnerability to perform a wide range of cyberattacks such as deploying coin miners, supply chain attacks, deploying malware like remote access trojans and ransomware, remote code execution, arbitrary code execution, and denial of services.

Who Are Impacted By The CVE-2021-44228 Log4Shell Vulnerability?

Log4j library is used as a logging platform in multiple popular applications such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. Anybody who uses the vulnerable version of Log4j in their application is prone to the attack. Please go through the list of affected applications by the vulnerability.

Products Affected:

Manufacturer/ComponentVerified
AppleTRUE
TencentTRUE
SteamTRUE
TwitterTRUE
BaiduTRUE
DIDITRUE
JDTRUE
NetEaseTRUE
CloudFlareTRUE
AmazonTRUE
TeslaTRUE
Apache SolrTRUE
Apache DruidTRUE
Apache FlinkFALSE
Apache Struts2TRUE
flumeFALSE
dubboFALSE
IBM Qradar SIEMTRUE
PaloAlto PanoramaTRUE
RedisFALSE
logstashFALSE
ElasticSearchTRUE
kafkaFALSE
ghidraTRUE
ghidra serverTRUE
MinecraftTRUE
PulseSecureTRUE
UniFiTRUE
VMWareTRUE
BlenderFALSE
GoogleTRUE
WebexTRUE
LinkedInTRUE
VMWarevCenterTRUE
Speed camera LOLTRUE

Log4j Versions Vulnerable To The CVE-2021-44228 Log4Shell Vulnerability:

The CVE-2021-44228 Log4Shell Vulnerability affects almost all Log4j 2 versions are affected.
2.0-beta9 <= Apache log4j <= 2.14.1

Log4j version 1 is not affected by the flaw. However, it is affected by a different remote code execution vulnerability.

How To Fix CVE-2021-44228 Log4Shell Vulnerability?

However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.

Mitigation Actions:

Different versions will have different mitigation advisories. Loot at the table below:

>=2.10The vulnerability can be mitigated just by setting system property “log4j2.formatMsgNoLookups” to “true”. This can be achieved in either ways:

1. Pass as a JVM Flag: Pass this as an argument when you invoke Java
# java -Dlog4j2.formatMsgNoLookups=true
OR
2. The environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to true.
JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true java
OR
JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true
>=2.7 and <=2.14.1All “PatternLayout” patterns can be modified to specify the message converter as “%m{nolookups}” instead of just “%m”.
<=2.10.0the mitigation is to remove the “JndiLookup” class from the classpath:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
OR
Patch the JNDI: https://news.ycombinator.com/item?id=29507263
OR
Use Log4jHotPatch tool to update the JNDI patch automatically.
<1.xIt is not confirmed that v1 is also vulnerable. However, it is vulnerable to another RCE CVE-2019-1757 vulnerability. We recommend upgrading to v2.15.0.

Note: It has been stated that setting com.sun.jndi.rmi.object.trustURLCodebase to false would mitigate the CVE and this is false by default in Java 8u121 however this information has been removed so it is no longer believed this is a sufficient mitigation.

Network IOCs:

Block the below IOCs on Firewalls, Proxies, and other Security Monitoring solutions and keep track of them if any connection is established/observed with them in the Infrastructure.

IP addresses and domains that have been observed in Log4j exploit attempts

134[.]209[.]26[.]39
199[.]217[.]117[.]92
pwn[.]af
188[.]120[.]246[.]215
kryptoslogic-cve-2021-44228[.]com
nijat[.]space
45[.]33[.]47[.]240
31[.]6[.]19[.]41
205[.]185[.]115[.]217
log4j[.]kingudo[.]de
101[.]43[.]40[.]206
psc4fuel[.]com
185[.]162[.]251[.]208
137[.]184[.]61[.]190
162[.]33[.]177[.]73
34[.]125[.]76[.]237
162[.]255[.]202[.]246
5[.]22[.]208[.]77
45[.]155[.]205[.]233
165[.]22[.]213[.]147
172[.]111[.]48[.]30
133[.]130[.]120[.]176
213[.]156[.]18[.]247
m3[.]wtf
poc[.]brzozowski[.]io
206[.]188[.]196[.]219
185[.]250[.]148[.]157
132[.]226[.]170[.]154
flofire[.]de
45[.]130[.]229[.]168
c19s[.]net
194[.]195[.]118[.]221
awsdns-2[.]org
2[.]56[.]57[.]208
158[.]69[.]204[.]95
45[.]130[.]229[.]168
163[.]172[.]157[.]143
45[.]137[.]21[.]9
bingsearchlib[.]com
45[.]83[.]193[.]150
165[.]227[.]93[.]231
yourdns[.]zone[.]here
eg0[.]ru
dataastatistics[.]com
log4j-test[.]xyz
79[.]172[.]214[.]11
152[.]89[.]239[.]12
67[.]205[.]191[.]102
ds[.]Rce[.]ee
38[.]143[.]9[.]76
31[.]191[.]84[.]199
143[.]198[.]237[.]19

(Ab)use of listener-as-a-service domains.
These domains can be false positive heavy, especially if these services are used legitimately within your network.

interactsh[.]com
interact[.]sh
burpcollaborator[.]net
requestbin[.]net
dnslog[.]cn
canarytokens[.]com

This IP is both a listener and a scanner at the same time. Threat hunting for this IOC thus requires additional steps.

45[.]155[.]205[.]233
194[.]151[.]29[.]154
158[.]69[.]204[.]95
47[.]254[.]127[.]78

Permanent Fix:

This CVE-2021-44228 Log4Shell Vulnerability is fixed in Log4j 2.15.0.  The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.

This is how you need to fix the CVE-2021-44228 Log4Shell Vulnerability on your affected servers.

We hope this post will help you Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.