Log4Shell – Log4J CVE-2021-44228 Vulnerability

NB: Updated constantly

Here is a summary of what Microsoft had of information https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

* Over a period of the last 4 months, the library has been downloaded 28.6 million.
* Ingenuity, the Mars 2020 Helicopter mission, is powered by it.
* On Friday alone there were about 840,000 endpoints that were running a vulnerable instance based upon Shodan searches (which only accounts for “known” common vendors.
* Over 2200 known “bad” IP addresses are already scanning the Internet for Vulnerable endpoints.
* There are indications that the exploit has been in the wild since December 1st
* There are a lot of companies with software that is affected by this vulnerability (https://lnkd.in/e2bM_MaY)
* Just updating the library to 2.15 is not enough (therefore you should update to 2.16 which disables completely JNDI functionality (https://lnkd.in/eq9sJsuM)
* Now as of the 14th (4 days after) we have seen the first ransomware attack using this vulnerability to deploy Khonsari

On December 9, researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2, a Java logging library used by a number of applications and services including but not limited to:

• Apache Druid
• Apache Flink
• Apache Solr
• Apache Spark
• Apache Struts2
• Apache Tomcat

This vulnerability could be weaponized to execute malicious code and allow a complete takeover of vulnerable systems. It is also appliance for other custom built applications, even including Red Hat Openshift and also a number of VMware products which has now been confirmed as well. Here you can see that a PoC has been built for VMware vCenter https://twitter.com/tnpitsecurity/status/1469429810216771589?s=21

You can find an updated list of affected products here —> BlueTeam CheatSheet * Log4Shell* | Last updated: 2021-12-12 2204 UTC (github.com)

You can also read the info from VMware here. This just shows how large impact this vulnerability has –> https://core.vmware.com/vmsa-2021-0028-questions-answers-faq#section1

Tracked as CVE-2021-44228 and by the monikers Log4Shell or LogJam, the issue concerns a case of unauthenticated, remote code execution (RCE) on any application that uses the open-source utility and affects versions Log4j 2.0-beta9 up to 2.14.1

There is already reports of attackers successfully exploiting this vulnerability (but as of now) for bitcoin mining payloads.

Cloudflare noted that it blocked 20,000 exploit requests per minute around 6:00 p.m. UTC on Friday, with most of the exploitation attempts originating from Canada, the U.S., Netherlands, France, and the U.K.

Citrix is also doing an investigation of the impact on their products: https://support.citrix.com/article/CTX335705

 

What can we do to protect against vulnerability?

• Patch! if you have built a custom application that uses that library.
• If you have a 3. Party application/product such as VMware you need to just wait and ensure that you have control of the traffic. Ensure that servers are not allowed to do outbound connections. 
• If you are using Log4j v2.10 or above, and cannot upgrade, then set the property

   log4j2.formatMsgNoLookups=true

• If you have web-services that are used to expose the service, you can use WAF custom rules to block the vulnerability, examples here:
• Cloudflare WAF mitigation: https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
• Citrix ADC WAF (If you have signature files automatically updated you have a new rule that can be used to block the known signatures ()

There are many tools that you can use to monitor the traffic, if you want to know if you have this specific library installed within your environment there are different detection mechanisms.

Azure Monitor / Azure Sentinel
ConfigurationData
| where ConfigDataType == “Software”
| order by TimeGenerated desc
| where SoftwareName == “liblog4j2-java”
| summarize count() by CurrentVersion

Yara and other detection rules:
https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

GreyNoise

Is also monitoring which IP addresses they see who are scanning for vulnerable endpoints –> https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22

This is showcasing often used payloads: GreyNoise Log4Shell Payloads (github.com)

Other IoC

Here is also a great list of example payloads that you can see –> GreyNoise Log4Shell Payloads (github.com)

Source IPs:
172.241.167.37 (🇺🇸)
23.108.92.140 (🇺🇸)
185.218.127.47 (🇦🇺)
172.83.40.124 (🇨🇦)
5.181.235.46 (🇯🇵)
139.28.219.110 (🇫🇷)
82.102.31.170 (🇺🇸)
203.27.106.141 (🇸🇬)
37.19.212.90 (🇨🇦)
109.70.150.139 (🇬🇧)