LOG4J VULNERABILITY ASSESSMENT AND MITIGATION

LOG4J VULNERABILITY ASSESSMENT AND MITIGATION

What is Log4j?
 
Log4j, Zero-day exploit the popular Javalogginglibrarylog4j2 was discovered that results in Remote Code Execution (RCE) by logging a certain string.Log4j2 is an open-source, Java-based logging framework commonly incorporated into Apache webservers and Spring-Boot web applications. The vulnerability has been reported with CVE-2021-44228 against the log4j-corejar.CVE-2021-44228 is considered an acritical flaw, and it has a base CVSS score of 10, the highest possible severity rating.

Who is Impacted !!

Too many services are vulnerable to this exploit as log4j is a wild rang used  Java-based logging utility. Cloud  services like Steam, Apple iCloud,  and applications like  Minecraft have already been found to be vulnerable.

Anybody using Apache frameworks services or any Spring- Boot Java-based framework applications that uses log4j2 is likely to be vulnerable.

HOW THE EXPLOIT WORKS !!
 
The exploit works when there is a service or application running with a vulnerable version of log4j2.

An attacker who can control log messages or log message parameters can execute arbitrary code on the vulnerable server loaded from LDAP servers when message lookup substitution is enabled.

Info you have to know about LOG4SHELL exploit!
  • Affected Apache log4j2 Versions
  • Exploit Requirements
  • Exploit Steps
Affected Apache log4j2 Versions 2.0 <= Apache log4j <= 2.14.1

Exploit Requirements

  • A server with a vulnerable log4j version.
  • An endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send the exploit string.
  • log statement that logs out the string from that request.

Exploit Steps

  • Data from the User gets sent to the server (via any protocol),
  • The server logs the data in the request, containing the malicious payload.
  • The log4j vulnerability is triggered by this payload and the server makes a request to  attacker.com via (JNDI),
  • This response contains a path to a remote Java class file which is injected into the server process, This injected payload triggers a second stage and allows an attacker to execute arbitrary code.


HOW TO MITIGATE


SPOT VULNERABLE APPLICATIONS

Ask admin/system team to run a search/grep command on all servers to spot any file with the name "log4j2", Then check if it is a vulnerable version or not.

PERMANENT MITIGATION
Version 2.15.0 of log4j has been released without the vulnerability. log4j-core.jar is available on Apache Log4j page below, You can download it and update your system 

TEMPORARY MITIGATION
Add "log4j.format.msg.nolookups=true" to the global configuration of your server/web applications

CEH V12 vs CEH V11 Difference

 The EC-Council update launched on 7th September 2022 from its predecessor version 11 Certified Ethical Hacker Version 12 (CEH v12) is now a...