15 Dec 2021

Blogs

Log4Shell-Logjam Overview

Picture credit : Lunasec[1]

TLDR;

Patch, check your patches work, check logs for attempts and possible compromise.

 

Log4Shell is a tag used by Lunasec[1] to describe the vulnerability in Apache Log4j2 that was disclosed abruptly by a tweet[2] and a github repo.
This sudden announcement alerted security professionals to work in a short time frame to protect systems and avoid other interested parties in discovering, compromising and potentially taking over systems.

Security groups alerted through the above were computer emergency response teams, which recognised the impact and came out with early advisories[3][4][5] which are either being updated or are being referenced by newer advisories[6].

The attack surface was of prime concern and security professionals were exchanging ways to detect through various third party search results.  One of the lists of the attack surface that was published early showed that Log4Shell or LogJam would affect a large number of systems[7][8].  Ways to detect affected servers were refined into a script[9][10] and other entities also released tools to detect vulnerable servers through first party scanning[11][12][13].  First party scanning is not of concern but unauthorised second party scanning is. This activity was eventually detected[14], and exploit payloads soon followed[15].

The manner in which the vulnerability was disclosed gave a short time frame for the naming and grading.  This was evident as the PSIRT initial only had release candidates[16][17] which later were checked and reported that both had to be used[18].

The vulnerability was later allocated CVE-2021-44228[19] and carried the PSIRT’s analysis[20][21] of a CVSSv3 base score of a perfect 10.0. (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Before a full patch was available by the PSIRT[22], mitigations were collated and a vaccine made available[23][24] to provide an easy way to mitigate[24] the unauthorised second party scanning attempts to drop a malicious payload.

No doubt there will be more numerous and extensive reports[26][27][28][29][30][31][32][33][34][35] made available by noted security organisations, as well as a plethora of resources listed to help[36][37], but the advice right now is as the TLDR, check your version[38][39], patch, check your patch, check your logs for attempts and possible compromise[40], and take remediation steps if any IoC show up[41][42][43][44][45][46].

In a time span no longer than a week CVE-2021-44228 has gone from proof of concept drop to internet wide scans to carrying crypto-coin miner payloads to no being found to carry ransomware payloads.[47][48]

Finally, if your weekend was thought to be hectic as a result of this abrupt disclosure, send some positive thoughts to the three volunteers[49][50] who maintain a piece of code that the internet has come to depend so much on.  These three volunteers have worked very hard getting us a patch as soon as possible.[51]

As well, we would like to thank all the contributors that have made this article possible by submitting to us relevant links and articles.

[1] Lunasec Advisory https://www.lunasec.io/docs/blog/log4j-zero-day/
[2] Tweeted 0-Day https://twitter.com/P0rZ9/status/1468949890571337731
[3] NZCERT https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/
[4] AUSCERT ASB https://portal.auscert.org.au/bulletins/ASB-2021.0244.2
[5] SingCERT https://www.csa.gov.sg/en/singcert/Alerts/al-2021-070
[6] AUSCERT ESB https://portal.auscert.org.au/bulletins/ESB-2021.4186
[7] Attack Surface https://github.com/YfryTchsGD/Log4jAttackSurface
[8] Randori Blog https://www.randori.com/blog/cve-2021-44228/
[9] log4j_rce_check https://gist.github.com/byt3bl33d3r/46661bc206d323e6770907d259e009b6
[10] Log4j2Scan https://github.com/whwlsfb/Log4j2Scan
[11] Qualys Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/10/apache-log4j2-zero-day-exploited-in-the-wild-log4shell
[12] SocPrime https://socprime.com/blog/cve-2021-44228-detection-notorious-zero-day-in-log4j-java-library/
[13] Imperva https://www.imperva.com/blog/how-were-protecting-customers-staying-ahead-of-cve-2021-44228/
[14] Log4j RCE Attempts https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
[15] Cloudflare Blog https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
[16] PSIRT rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1
[17] PSIRT rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
[18] CyberKendra https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
[19] NVDB https://nvd.nist.gov/vuln/detail/CVE-2021-44228
[20] RecordedMedia https://therecord.media/log4j-zero-day-gets-security-fix-just-as-scans-for-vulnerable-systems-ramp-up/
[21] PSIRT Advisory https://logging.apache.org/log4j/2.x/security.html
[22] PSIRT Download https://logging.apache.org/log4j/2.x/download.html
[23] Cybereason Blog https://www.cybereason.com/blog/cybereason-releases-vaccine-to-prevent-exploitation-of-apache-log4shell-vulnerability-cve-2021-44228
[24] Cyberreason Vax https://github.com/Cybereason/Logout4Shell
[25] DarkReading https://www.darkreading.com/dr-tech/what-to-do-while-waiting-for-the-log4ju-updates
[26] PaloAlto https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
[27] Cloudflare Blog https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
[28] Cloudflare Blog https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
[29] Sygnia Advisory https://blog.sygnia.co/log4shell-remote-code-execution-advisory
[30] ISC SANS Diary https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
[31] ISC SANS Diary https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/
[32] Crowdstrike https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
[33] Bleeping Computer https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/
[34] Trusted Sec https://www.trustedsec.com/blog/log4j-playbook/
[35] Bleeping Computer https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/
[36] Reddit List of resources on log4j  https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/
[37] CVE-2021-44228-Log4Shell-Hashes  https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
[38] NCSC-NL https://github.com/NCSC-NL/log4shell
[39] BlueTeam CheatSheet https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
[40] Log4ShellDetector  https://github.com/Neo23x0/log4shell-detector
[41] Bazaar https://bazaar.abuse.ch/browse/tag/log4j
[42] URLHaus https://urlhaus.abuse.ch/browse/tag/log4j
[43] Threatfox https://threatfox.abuse.ch/browse/tag/log4j
[44] CuratedIntel https://github.com/curated-intel/Log4Shell-IOCs
[45] Microsoft Guidance https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
[46] TryHackme https://tryhackme.com/room/solar
[47] Twitter https://twitter.com/80vul/status/1470272820571963392?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet
[48] Twitter https://twitter.com/ankit_anubhav/status/1470648109625536515
[49] Twitter “@FiloSottile” https://twitter.com/FiloSottile/status/1469441487175880711
[50] Twitter “@matthew_d_green” https://twitter.com/matthew_d_green/status/1469715416549367812
[
51] ITNews https://www.itnews.com.au/news/log4js-project-sponsorship-skyrockets-after-critical-bug-exploitation-573914