Why Log4Shell could be the worst software vulnerability ever
Thousands of Java applications across the world are wide open to remote code execution attacks targeting the Log4j library. This post summarizes what we know so far about the Log4Shell vulnerability, how you can mitigate it, how to find it using Invicti, and what it means for cybersecurity here and now.
Your Information will be kept private.
Stay up to date on web security trends
Your Information will be kept private.
What you need to know about Log4Shell (CVE-2021-44228)
|Issue:||Remote code execution (RCE) vulnerability in the Apache Log4j library for Java|
|Vulnerable versions:||Log4j 2.0 to 2.14.1|
|Patched version:||Log4j 2.17.0 or newer (NOTE: 2.15.0 and 2.16.0 have been found to have other vulnerabilities)|
|Scale:||Global, actively targeted|
|Affected software:||All Java applications and frameworks that depend on the vulnerable library|
|First reported:||Dec 9th, 2021|
|Remediation:||Patch immediately to Log4j v2.17.0 (or newer) or apply temporary mitigation until patched|
|Detected by Invicti:||Yes, Standard and Enterprise on-demand – see our support page for instructions on detecting and reporting|
Invicti does not use Log4j, and we do not ship it with our products. However, if you are running a Tomcat server, you may have configured it to route logging and tracing information through Log4j. If you have Log4j installed, we recommend immediately upgrading it to version 2.17.0 or newer.
How to exploit CVE-2021-44228The vulnerability is high-impact yet extremely easy to exploit. The attacker simply needs to prepare a malicious Java file, put it on a server they control, and include the following string in any data that will be logged by the application server:
When the vulnerable server logs this string, Log4j will retrieve and execute Java code from an attacker-controlled server, allowing arbitrary code execution. If the code is a remote shell, the attacker will obtain a local shell with the privileges of the system user running the vulnerable application.
Who is affected by CVE-2021-44228Considering that servers log many types of data, the attack surface is massive and includes headers as well as more visible inputs. Log4j is used by many popular Java application frameworks and packages, such as Struts, Hadoop, Elasticsearch, Grails, Kafka, and more. This means the vulnerability is embedded deeply not only in Java-based web applications but also in hundreds of thousands of enterprise apps. And unlike the SolarWinds hack, which affected (in global terms) relatively few organizations and needed manual effort to exploit specific systems, Log4Shell is ridiculously easy to exploit. Quite simply, if you have a vulnerable Log4j version anywhere in your live Java environment, you are at risk of remote code execution (RCE).
Log4Shell explainedCVE-2021-44228 is a prime example of how several seemingly innocent or only slightly insecure features can be stacked into a devastating vulnerability:
- Apart from plain text, Log4j also supports variables for easily inserting additional data into logs, such as timestamps or software versions.
- These variables can include calls via JNDI (Java Naming and Directory Interface), for example to retrieve a user name from a central directory to put it in the log. LDAP is among the supported directory protocols (though others will also work for the attack).
- Just in case this target data is too big for an LDAP response, you can also provide an external URL as the data source.
- While this has nothing to do with logging, it so happens that JNDI can be used to retrieve not only text but also other data, for example stored application objects to be loaded and recreated.
The attacker puts this string somewhere where it will be logged by the server – a request header, host name, device name, or any number of other places. The server asks Log4j to log this string. Log4j sees a variable with a JNDI call referring to an LDAP resource, in this case a Java class file. It then retrieves the file from the attacker’s server and deserializes it to recreate the Java class that it contains. And if that class is a remote shell, commiserations – you’ve just been hacked.
How to detect the Log4Shell vulnerabilityIf you have any Java applications that use Log4j older than 2.15.0, you are vulnerable to RCE via CVE-2021-44228 (and patched versions older than 2.17.0 have now been found to have other serious vulnerabilities). Note that Log4j may be installed by default with Java software such as application servers and development frameworks, potentially in multiple locations, so double-check even if you think you don't have it deployed anywhere. See the Log4j project site for details about both vulnerabilities and mitigation. UPDATED: You can use Invicti (Standard and Enterprise on-demand) to test if your web applications are vulnerable to Log4Shell attacks. You can add the Log4Shell security check to your existing scan policies or create a separate scan policy to check only for this vulnerability in a matter of minutes. See our support page for detailed instructions on scanning for the Log4Shell vulnerability.
How to mitigate CVE-2021-44228A fix is already available, so the recommended course of action is to update to Log4j 2.17.0 (or newer) immediately. Note that the inital patch in version 2.15.0 was found to be vulnerable to a separate DoS and RCE vulnerability (CVE-2021-45046), while 2.16.0 is vulnerable to DoS (CVE-2021-45105) and untrusted deserialization attacks (CVE-2021-4104). Also, previously published temporary mitigations are no longer bulletproof, as they may be ineffective in some cases. If you cannot update to 2.17.0 (or newer) right now, you have the following options for temporary mitigation (see Lunasec’s mitigation guide for detailed information):
- You can manually modify JNDI in place to temporarily block JNDI-based attacks until you can update. The Log4jHotPatch tool is available to do this even while the server is running. Remote live patching via the vulnerability itself is also possible as a last resort.
- Previous temporary mitigations may still protect against CVE-2021-44228 in some cases, but remember you may now be vulnerable to one or more of the newly-discovered vulnerabilities listed above. For 2.10 or later, you can at least reduce risk by setting the system property
log4j2.formatMsgNoLookupsor the environment variable
trueand restarting your application. This may or may not work, so updating to 2.17.0 is the only recommended course of action.