Blog A3Sec

Zero Day vulnerability in Apache Log4j

Written by Nacho García Egea, Technical Director Spain | 10 August, 2022

The vulnerability CVE-2021-44228 'Log4Shell' or 'LogJam' has serious consequences on the Apache log4j component included in millions of applications, servers even in OT environments.

CVE-2021-44228 'Log4Shell' or 'LogJam', applies to JNDI Java Naming and Directory Interface) features, indicating that its vulnerable component log4j affects millions of applications and servers. Log4j is used in configuration, log messages and parameters that offer no protection against access to remote directory services and other endpoints.

Every time an application with the vulnerable log4j module generates an audit trail, for example, when a log of a user's browsing or login attempt is saved, the vulnerable code is executed.This was discovered by Chen Zhaojun of the Alibaba Cloud Security Team, and has received a CVSS score of 10 out of 10 due to its severity and ease of exploitation.

The affected versions of Apache Log4j are between 2.0-beta9 and 2.14.1, both included. Apache Software Foundation has released fixes to contain the vulnerability in version 2.15.0 and later.

This vulnerability can affect OT environments as it is vendor-independent and affects both proprietary and open source software, leaving many industries exposed to remote exploitation, including electrical, supply chain, transportation and more. Log4j is found in more popular open source repositories used in numerous industrial applications, such as Object Linking and Embedding for Process Control (OPC) Foundation's Unified Architecture (UA) Java Legacy.  In addition, attackers can exploit this vulnerability in supervisory control and data acquisition (SCADA) systems and energy management systems (EMS) that use Java in their code base.

TTP's for CVE-2021-44228

The attack carrier (LDAP) has been the main focus of attackers, although other techniques are not ruled out.

In the case of OT networks, having good segmentation reduces the risk, although it will still be present until it is corrected in vulnerable versions. However, OT elements such as SCADA / EMS configured for remote access may use LDAP for password management and therefore be vulnerable to exploitation, particularly by an adversary moving laterally within a network with weak segmentation.

The emergence of nested and obfuscated payloads to bypass web application firewalls is an example of early adversary tactics, techniques and procedures (TTP).

The attack vector is via JNDI which allows attackers to provide a URL that defines both the protocol and the resource to query:

So, if an attacker could raise his own server, from which the above calls are received, he could perform JNDI attacks.

 

Recommendations

Upgrade the library to Apache Log4j 2.15.0 or later to fix the security flaw generated by the vulnerability. If it is not possible to apply the security patches, the following countermeasures are recommended to mitigate the problem:e recomiendan las siguientes contramedidas para mitigar el problema:

  • n versions 2.10 up to 2.14.1 it is recommended to set the parameter log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • In versions below 2.10 and up to 2.0-beta9, remove the JndiLookup class from the class path (using the zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class command).
  • Check outbound filtering at the perimeter (RCE needs 1 or 2 outbound connections from the victim, DNS aside) and JVM proxy settings
  • CVE-2021-45046 affects all versions. Incomplete patching of CVE-2021-44228 allows attackers to perform a denial of service attack. Incomplete patching of CVE-2021-44228 could be exploited to "create malicious input data using a JNDI search pattern that ends in a denial-of-service (DoS) attack"