Critical Zero-day vulnerability in Apache Log4j Java library

Description

Security researchers has discovered a new zero-day vulnerability dubbed Log4Shell in Apache Log4j Java-based logging library tracked as CVE-2021-44228 which has scored a perfect 10/10 in the CVSS rating (Critical). The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the vulnerable system and affects all versions from 2.0-beta9 to 2.14.1, this vulnerability can be exploited through a single string of text. Successful exploitation of this vulnerability could lead to a complete system takeover.

Some experts are calling this one of the most critical vulnerabilities they have seen in years!

Recommendations:

• It is recommended to update Log4j to its latest version 2.15.0

• Block all IOC’s on firewall

• Check all internet facing applications that are vulnerable to the exploit in the environment

Reference URLS:

• https://logging.apache.org/log4j/2.x/security.html

• https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html?m=1

Recommendations for IOCs:

Workaround:

For releases >=2.10:

• Vulnerability can be mitigated by setting either the system property "log4j2.formatMsgNoLookups"

Or

• the environment variable "LOG4J_FORMAT_MSG_NO_LOOKUPS" to “true”
  

For releases from 2.0-beta9 to 2.10.0:

• The mitigation is to remove the "JndiLookup" class from the classpath:”zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”.

Reference URLs for IOCs:

https://logging.apache.org/log4j/2.x/security.html https://www.virustotal.com/gui/collection/04c6ab336e767ae9caee992902c4f3039ccee24df7458cd7cbaf3182644b3044 https://github.com/CriticalPathSecurity/Zeek-IntelligenceFeeds/blob/master/log4j_ip.intel https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217