CVE-2021-44228 summary

Last week information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). The threat, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system. A publicly published Proof-of-Concept, as well as the vulnerability’s easy exploitability, make this situation particularly dangerous.
Kaspersky is aware of PoCs in the public domain and of the possible exploitation of CVE-2021-44228 by cybercriminals. Our products protect against attacks leveraging the vulnerability, including PoC usage. Possible detection names are:

  • UMIDS:Intrusion.Generic.CVE-2021-44228.*
  • PDM:Exploit.Win32.Generic

KATA verdicts:

  • Exploit.CVE-2021-44228.TCP.C&C
  • Exploit.CVE-2021-44228.HTTP.C&C
  • Exploit.CVE-2021-44228.UDP.C&C

Geography of CVE-2021-44228 scan and exploitation attempts, December 2021

CVE-2021-44228 technical details

The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes, there is a high possibility that this vulnerability can be exploited. Almost all versions of Log4j are vulnerable, from 2.0-beta9 to 2.14.1.
Log4j includes a Lookup mechanism that could be used to make requests through special syntax in a format string. For example, it can be used to request various parameters such as the version of the Java environment via ${java:version}, etc. Then, by specifying the jndi key in the string, the Lookup mechanism uses JNDI API. By default, all requests are done using the prefix java:comp/env/; however, the authors implemented the option of using a custom prefix by means of a colon symbol in the key. This is where the vulnerability lies: if jndi:ldap:// is used as the key, the request goes to the specified LDAP server. Other communication protocols, such as LDAPS, DNS and RMI, can also be used.
Thus, an attacker-controlled remote server could return some object to a vulnerable server, potentially leading to arbitrary code execution in the system or to leakage of confidential data. All an attacker should do is send a special string through the mechanism that writes this string to a log file and is therefore handled by the Log4j library. This can be done with simple HTTP requests, for example, ones sent through web forms, data fields, etc, or with any other kind of interactions that use server-side logging.

Mitigations for CVE-2021-44228

Indicators of compromise (IOC)

1cf9b0571decff5303ee9fe3c98bb1f1
194db367fbb403a78d63818c3168a355
18cc66e29a7bc435a316d9c292c45cc6
1780d9aaf4c048ad99fa93b60777e3f9
163e03b99c8cb2c71319a737932e9551

Posted by Charlie