Jan 17, 22 3:14 pm

Was this post helpful?

Log4J2 Vulnerability: Analysis and Next Steps for SaaS Companies

Jan 17, 2022
| by:
Sherif Koussa

A few days ago a 0-day CVE was discovered in the Log4j2 library. The CVE was just patched on Friday, Dec 10th. 

What exactly is the Log4J2 Vulnerability?

Apache Log4j2 is a Java-based logging utility. It was originally written by Ceki Gülcü and is part of the Apache Logging Services project of the Apache. Two days ago a severe vulnerability was discovered in the wild. The bug is already weaponized in the wild,

Basically, any unauthenticated hacker can get an RCE (remote code execution) on the server. So for example, a simple get request:

curl myserver.com-H ‘User-Agent: ${jndi:ldap://127.0.0.1/a}'

Assuming that the server does log the request header “”User-Agent”, you will see that in the log file actual an attempt to perform a lookup has happened:

2021-12-11 13:14:56,207 http-nio-8080-exec-1 WARN Error looking up JNDI resource [ldap://127.0.0.1/a]. javax.naming.CommunicationException: 127.0.0.1:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]

There are a lot of solid technical write-ups written about this here and here.

How bad is Log4J2?

Apache rated this vulnerability as Critical with a CVSS score of 10/10, which indicates imminent impact

The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia's CERT. New Zealand's government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.

Considering how easy it is and how spread the Log4j library is. This is probably as bad as the Equifax and heart bleed vulnerabilities. 

Who is affected by Log4J2?

JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.

However they might still be vulnerable to other attack vectors that does not use the LDAP variant. 

What can you do about it?

The permanent solution is to upgrade Log4J to the 2.15.0 version. log4j-core.jar is available on Maven Central here, with [release notes] and [log4j security announcements].

Temporary solutions:

  • Setting formatMsgNoLookups to false but this is only available to log4j version 2.10.0 and up. Keep in mind this will only stop the JNDI lookup attack vector variant.
  • If you are using a WAF service, most WAF vendors are updating their rules to mitigate this issue. Keep in mind this is only temporary solution and most probably we will see some bypasses in the next few weeks.

Updates Since Original Posting

  • Update December 10, 2021: Apache released Log4j 2.15.0 for Java 8 to address a remote code execution (RCE) vulnerability – CVE-2021-44228.
  • Update December 13, 2021: Apache released Log4j 2.12.2 for Java 7 and Log4j 2.16.0 for Java 8 to address an RCE vulnerability – CVE-2021-45046.
  • Update December 15, 2021: Log4j 1.x is vulnerable to an attack, where logging is configured with JMSAppender are impacted – CVE-2021-4104
  • Update December 17, 2021: Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability – CVE-2021-45105.
  • Update December 28, 2021: Apache releases version 2.17.1 to address CVE-2021-44832.

Was this post helpful?

About the Author

Sherif Koussa
Sherif Koussa is OWASP Ottawa Chapter Co-Leader, Software Developer, Hacker, and founder and CEO of Software Secured and Reshift. In addition to contributing to OWASP Ottawa for over 14 years, Sherif contributed to WebGoat, and OWASP Cheat Sheets. Sherif also helped the SANS and GIAC organizations launch their GSSP-Java and GSSP-NET exams and contributed to a few of their courses. After switching from the software development field to the security field, Sherif took on the mission of supporting developers shifting security left, and ship more secure code organically.
Share This Post

Leave a Reply

Your email address will not be published.

Related Post

Jul 4, 2023 by Cate Callegari

Common Security Misconfiguration Habits

Read more

Was this post helpful?

Jun 28, 2023 by Shimon Brathwaite

Risk of Broken Access Control

Read more

Was this post helpful?

May 17, 2023 by Omkar Hiremath

Risk of Security and Monitoring Logging Failures

Read more

Was this post helpful?

Office

301 Moodie Dr. Unit 108
Ottawa ON K2H 9C4

Designed by WP Expert
© 2023
Software Secured
cross