Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit

Vulnerability Affecting Multiple Log4j Versions Permits RCE Exploit

On December 9th, it was made public on Twitter that a zero-day exploit had been discovered in log4j, a popular Java logging library. All the library’s versions between 2.0 and 2.14.1 included are affected. Log4j 2.15.0 has been released, which no longer has this vulnerability. As pointed out by the POC published on GitHub, when log4j logs an attacker-controlled string value it can result in a Remote Code Execution (RCE).

The log4j contributors mobilized to ensure that a fix is available and quickly merged. Log4j 2.15.0 is already available in Maven Central and all users are encouraged to upgrade immediately where possible. Where an upgrade is not immediately possible, an alternative workaround is to start the Java application or server with the log4j2.formatMsgNoLookups system property set to true, e.g.: `java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar`

Server’s running on JDKs versions higher than 6u141, 7u131, 8u121 are not affected by the LDAP attack vector, as the com.sun.jndi.ldap.object.trustURLCodebase is disabled by default, hence JNDI cannot load remote codebase using LDAP.

The exploit, that will be identified by CVE-2021-4428, and known colloquially at Log4Shell, takes advantage of a flaw in the Java Naming and Directory Interface’s code in the following way:

Or translated in code:

Given the ubiquity of Java and log4j’s usage and the facility of the exploit, the impact is critical and should be addressed by all users immediately,, Even though scans are performed on the web it is almost impossible to fully evaluate. Similar vulnerabilities were exploited in the past concluding into data breaches like Equifax data breach

Various scans were conducted on the web, finding among the known affected services are Steam, Apple iCloud, and applications like Minecraft, where all version greater than 1.8.8 are affected. Patching was started among the affected open source projects (for example Paper).

With the popularity of presumably simple libraries like log4j, many cloud services and applications might be impacted, as was the case of the Equifax data breach from 2017, when the repercussions were quite severe. Nevertheless, in the case of CVE-2021-44228 the community has rallied to help promote awareness and provide mitigation plans and also fixes.

This content was originally published here.

Laat een reactie achter

Het e-mailadres wordt niet gepubliceerd.