Our teams are actively responding to the Log4Shell (or LogJam) 0-day threat which has been reported in the Apache Log4j 2 Java library and has been awarded a severity rating of 10 out of 10 by NIST. We are alerting customers to systems and services that may potentially be impacted and assisting with the investigation and remediation of any attacks that may result, in line with guidance from the National Cyber Security Centre.
What’s the problem?
The issue does not just impact services written wholly in Java; it simply requires a single java application leveraging the log4j library on the network. This makes it necessary to check all Java code across the network regardless of whether they are running Linux, Mac or Windows and to determine if these are using the Log4j library.
How does it work?
Vulnerability CVE-2021-44228 allows unauthenticated remote code execution which is triggered by a string provided by the attacker through a variety of different input vectors which is parsed and processed by the Log4j (version 2) vulnerable component.
According to Microsoft, most of the activity to date has been mass scanning of systems. It states the string contains “jndi”, which refers to the Java Naming and Directory Interface followed by the protocol, such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, which precedes the attacker’s domain. However, attackers have obfuscated these requests using additional characters making them harder to detect.
What should I do?
Customers are advised to patch their systems by updating all copies of Log4j to version 2.15.0 as soon as practicable.
NCSC advice states: “If you are using the Log4j 2 library as a dependency within an application you have developed, ensure you update to version 2.15.0 or later
If you are using an affected third-party application, ensure you keep the product updated to the latest version. The flaw can also be mitigated in previous releases (2.10 and later) by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath.”
For those unable to carry out the update immediately, Apache has suggested three workarounds as explained by Sophos here as follows:
- Run your vulnerable program under Java with an added command line option to suppress JNDI lookups, like this: java -Dlog4j2.formatMsgNoLookups=true This sets a special system property that prevents any sort of
{$jndi:...}activity from triggering a network connection, which prevents both exfiltration and remote code implantation. - Set an environment variable to force the same result:
set LOG4J_FORMAT_MSG_NO_LOOKUPS=true - Repackage your
log4j-core-*.jarfile by unzipping it, deleting the component calledorg/apache/logging/log4j/core/lookup/JndiLookup.class, and zipping the other files back up again
What’s the advice from vendors?
The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. Firewall vendors have been quick to issue patches and advice including:
- Microsoft365 Defender customers are advised to turn on cloud-delivered protection while users of Microsoft Defender for Endpoint should turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat: Block executable files from running unless they meet a prevalence, age, or trusted list criterion. The wide attack surface of exploited by the attack means teams are also advised to monitor for signs of post-exploitation such as coin mining, lateral movement, and Cobalt Strike.
- Azure Firewall Premium customers have enhanced protection from the Log4j RCE CVE-2021-44228 vulnerability and exploit. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to internet. The vulnerability rulesets are continuously updated and include CVE-2021-44228 vulnerability for different scenarios including UDP, TCP, HTTP/S protocols since December 10th, 2021.
- Sophos has published a list of affected products and published an extended detection and response tool to identify affected Linux servers
- Fortigate has released intrusion prevetion system (IPS) rules to detect and block this specific vulnerability as has Juniper.
In the meantime, if you have any concerns, please do reach out to us at contact@prisminfosec.com or on 01242 652 100.
