All about the Log4j shell vulnerability which took cybersecurity community by storm!!

From emergence to detection to patch, everything about log4j shell vulnerability affecting billions of devices and application running Java.

CYBERSECURITY

1/1/2022 3 min read

The emergence of a new cybersecurity vulnerability(zero-day) has taken the cybersecurity community by storm!!

Before we dig into the log4j, I would like to wish all the readers a very HAPPY NEW YEAR!!

The vulnerability is known as Log4Shell (CVE-2021–44228); it allows a malicious actor to directly inject a specially crafted payload in the requests which get parsed and executed by the vulnerable application.

According to some news sources, 100 plus hacking attempts are being made every minute through this exposure on the vulnerability. Many big IT corporations are endangered because most of them use Java in some way or the other to create and maintain applications.

In this blog post, I will try to explain everything you need to know about the hot topic these days - The log4j event, from its first detection to the release to detection to the patch.

Log4j Shell - Zero-day vulnerability time-line:

A zero-day vulnerability involving remote code execution in Log4j, given the descriptor "Log4Shell" (CVE-2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021.

December 10, 2021:

Apache released Log4j 2.15.0 for Java 8 to address a remote code execution (RCE) vulnerability – CVE-2021-44228.

December 13, 2021:

Apache released Log4j 2.12.2 for Java 7 and Log4j 2.16.0 for Java 8 to address an RCE vulnerability – CVE-2021-45046.

December 15, 2021:

Log4j 1.x is vulnerable to an attack, although at lower risk when logging is configured with JMSAppender are impacted – CVE-2021-4104. The recommendation is to upgrade to Log4j 2.x.

December 17, 2021:

Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability – CVE-2021-45105.

Affected services include Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and Twitter. The Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit. The vulnerability was characterized by cybersecurity firm Tenable as "the single biggest, most critical vulnerability of the last decade" and Lunasec's Free Wortley characterized it as "a design failure of catastrophic proportions".

What is Log4j, and how does it work?

Log4j is a Java-based logging utility that is a part of Apache logging services, a project of Apache software foundation. Log4j is one of the several java logging frameworks (APIs).

In simple terms, the log4j utility enables developers or programmers in maintaining a trace of what is going on with their applications in terms of the logs whether it is an access log, error log, warn log, fatal or anything. It keeps data of everything a program is doing. Log4j is both open source and free and hence used widely.

Developers use Log4j to keep a log of what is going on in their software applications or internet services. It is one of those projects that operates silently in the background. Helping in assisting developers in the creation of many items that you use directly. All the big Multinational Companies like Apple, IBM, Oracle, Cisco, Google and Amazon, all run the software.

What is the Log4j flaw?

Log4jShell is a Java JNDI injection. This is not a new vulnerability, there was a Blackhat talk on the same by Alvaro Munoz & Oleksandr Mirosh --> https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

Interestingly, the vulnerability was introduced with the new JNDI lookup feature in version 2.0–2.15.0 that allows any inputs to be parsed and interpreted by the application no matter where it originates. These include web applications, databases, email servers, routers, endpoint agents, mobile apps, IoT devices — you name it (if it runs Java, it could be vulnerable).

Log4j has lately been vulnerable despite its widespread use. The recently discovered hole in Log4j lets attackers run their code on your systems, allowing them to steal data, install malware, or take control and access all of your sensitive data. Hackers can easily access the company’s computer servers. They can also widen their access into the company’s network and as a result, get access to discrete data. It’s been causing a lot of problems for organizations and has put a lot of data at risk.

How to fix the log4j shell vulnerability?

The update distributed by Log4j has the potential to eliminate the affected system. Log4J version 2.17.0 is patched.

PRACTICALS -- Lab setup, detection and exploitation:

If you want to play around with the Log4j shell vulnerability by re-creating the findings with the help of the labs, below are some awesome resources that help you to create a vulnerable lab & detect and exploit the log4j shell vulnerability.

TryHackMe cloud lab on log4j:

https://tryhackme.com/room/solar

Manual lab setup - Log4j:

https://github.com/Cyb3rWard0g/log4jshell-lab

Proof of Concept - Log4j shell:

https://github.com/kozmer/log4j-shell-poc

Log4j Detector:

https://github.com/CodeShield-Security/Log4JShell-Bytecode-

Log4j Sample exploit:

https://github.com/kali-dass/CVE-2021-44228-log4Shell

More resources:

https://github.com/snyk-labs/awesome-log4shell

That's it for the day! Thanks for reading!

If you like the content, please share with your friends & connections.

If you have any feedback or suggestion with regards of the content, please contact us by visiting the contact page.

Meanwhile you can check out other blogs as well, we do have a free course on ethical hacking, check it out by clicking the link below!

HAPPY NEW YEAR everyone!!

Start the free course now!

Entry Level Course combining all concepts of Cybersecurity!

You can go for the course listed on our website as well. It is an beginner-level course(CCSA) where you can learn Cybersecurity from scratch. It is a FREE course for now and will be FREE forever!

Social
Contact

hi@thecomputerjoker.com

© copyrighted 2021. All Rights Reserved.