Log4Shell guide – How to detect and mitigate the vulnerability
On 9 December it was revealed that a severe unauthorised remote code execution vulnerability (CVE-2021-44228 Log4Shell Vulnerability) was revealed in Apache’s Log4J. This vulnerability affects a vast number of services and applications as it’s a common logging system used by developers. Has your business been affected?
The remote code execution, which is triggered when a string, provided by the attacker through a variety of different input vectors, is parsed and processed by the Log4j 2 vulnerable component, makes it possible for any attacker to inject text into log messages or log message parameters into server logs. The targeted server will then execute that code via calls to the Java Naming and Directory Interface (JNDI). JNDI commonly interfaces with several network services, including the Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS), Java’s Remote Interface (RMI), and the Common Object Request Broker (CORBA).
Detection and log searches by organisations are finding that the vulnerability may have been exploited for weeks before it was reported publicly. To date the most common instances include attempts to install coin miners and attempts to extract information and confidential data, including Amazon Web Services keys.
The National Cyber Security Centre (NCSC) has released an alert with more details about Log4J open-source Java logging library, developed by the Apache Foundation.
Our own security experts have identified a useful resource on the CVE-2021-44228 Log4Shell vulnerability. Read the guide which will take you through the steps to determine if you’ve been affected by log4shell and highlights the ways that it can be mitigated.
If you believe you’re under attack or discover that you’ve suffered a breach and need help urgently, get in contact. Call our emergency line on 0800 066 4509 to speak to one of our experts. They’re available 24 hours a day, 7 days a week. You can bookmark this page in case you ever need us.
UPDATE:
A second Apache Log4J vulnerability has been found following security experts attempting to patch and mitigate CVE-2021-44228. You can read advice on how to patch this second vulnerability in a useful ZDNet article.
UPDATE:
Apache have rolled out a new update addressing another vulnerability discovered within Log4j, update 2.17.1 fixes a vulnerability that allows for RCE in 2.17.0 and below. This vulnerability impacts all 2. versions of the logging library, with exception to versions 2.3.2 and 2.12.4.
The vulnerability is rated 6.6 in severity out of 10 and is being tracked as CVE-2021-44832. The complexity of the vulnerability has resulted in a lower rating then previously seen Log4j issues, as this attack requires existing control over the configuration. If an attacker has control of the configuration, they will be able to modify logging files using the JDBC Appender to construct a malicious configuration that executes remote code.
It is advised that any vulnerable versions of Log4j should be updated to 2.17.1 immediately.
If you need any support in mitigating any risks this vulnerability may have on your business please don’t hesitate to get in contact.
