Home / About / Threat Intelligence / 0-day exploit found in log4j (Log4Shell)

Overview

A remote code execution (RCE) vulnerability CVE-2021-44228 has been found in popular Java logging library, log4j.

The exploit is an injection attack (like SQLi) which means any source of arbitrary data which is written to log files by an application using log4j is potentially vulnerable to RCE. Web Apps are of particular concern.

Impact

An unauthenticated remote attacker could execute code in the security context of the vulnerable app.

Affected Products

The vulnerable version of log4j is

2.0 <= Apache log4j <= 2.14.1

This is a popular package used by many other projects including Apache Struts2 and Minecraft servers.

Containment, Mitigations & Remediations

If it’s impractical to update, one mitigation mentioned on the GitHub issue is to remove the vulnerable class.

Indicators of Compromise

Security researcher Florian Roth has published some notes on detecting exploitation attempts, including a regular expression to search log sources.

`sudo egrep -i -r ‘\$\{jndi:(ldap[s]?|rmi)://[^\n]+’ /var/log`

Threat Landscape

log4j is a common library used in many enterprise Java applications. As such, it can be hard to predict what other apps will be found to contain a vulnerable version of the library in future.

This is an easily exploited RCE with a wide range of applicability which is likely to appeal to Ransomware groups.

Mitre Methodologies

T1190 – Exploit Public-Facing Application

Further Information

Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package

Apache Log4j Security Vulnerabilities

Restrict LDAP access via JNDI