[German]Since the weekend a vulnerability CVE-2021-44228 contained in the JAVA library log4j keeps the IT scene in suspense. The log4j library is extremely widespread and is used in many products. In addition, the vulnerability is extremely easy to exploit remotely and attacks have also been observed for about 2 weeks. In the blog post I try to pick up the most important questions/answers in a kind of FAQ or as a repository and link to further pages.
The log4j vulnerability CVE-2021-44228
A critical vulnerability exists in the JNDI lookup function in the Java library log4j used for logging, allowing attackers to inject and execute remote code. Log4j is a popular logging library for Java applications used in many products. If an attacker succeeds in specifying a URL to a server they control in the log file managed by log4j, they can hijack a server via logging (Log4Shell).
Since a proof of concept (PoC) for the remote code execution vulnerability in log4j was published on December 9, 2021, the IT world has been upside down. US CISA warns (see) that this is the biggest vulnerability of the year, threatening hundreds of millions of devices and programs. The vulnerability was assigned a CVSS score of 10.0 (maximum) after the blog post was published. Contrary to the original assessment, the critical vulnerability can potentially be exploited on internal systems if they receive or process external data.
Attacks on CVE-2021-44228
There are already reports that the Internet is being widely scanned for vulnerable systems. The Record-Media reports in the article Log4Shell attacks began two weeks ago, Cisco and Cloudflare say, that attacks on the vulnerability were observed as early as December 1, 2021. And the security researchers at Check Point have published the following graph with the skyrocketing attack numbers in this blog post.
(Source: Check Point)
The colleagues at Bleeping Computer also report in this article that attackers are starting to install malware on systems after successful Log4Shell attacks. I have the following supplementary information from Bitdefender Labs:
- Cybercriminals are trying to embed a new ransomware family, Khonsari. They are now attacking Microsoft Windows systems, after Linux servers were initially targeted by the hackers.
- The attackers are also trying to deploy the Orcus remote access Trojan (RAT) via the vulnerability. They attempt to download shellcode from hxxp://test.verble.rocks/dorflersaladreviews.bin.encrypted and inject it into the memory of the conhost.exe process. This shellcode decrypts and reloads other malicious payload into the memory that connects Orcus to the command-and-control servers.
- Reverse bash shells are used by cybercriminals to try to gain access into systems for later follow-up actions. This is relatively easy to do. As a result, more widespread attacks are highly likely.
Bitdefender experts are already observing numerous botnets exploiting the vulnerability to install backdoors in new victim networks and expand their networks. A first example of this is Muhstik. Botnets thrive on their size. The growth of these networks is a good indicator of vulnerability risk. Bitdefender has published a summary of its findings so far in Advisory By Martin Zugec / Dec 13, 2021.
Are my systems vulnerable
The security experts' advice to administrators is to get an overview of which systems use the log4j library or are vulnerable via the vulnerability.
- The initial assessment that older JAVA versions were not vulnerable has unfortunately proven to be wrong. .
- Other implementations of the log4j library like log4net, log4perl, log4php etc. do not seem to be vulnerable after this discussion about the CVE-2021-44228 vulnerability.
In a direct message I received, security vendor Tenable talks about the "Fukushima of IT" and writes that every minute they discover new applications that use Log4j in one way or another. This affects not only the code that companies create, but also the third-party systems they have in place. Everything from the new printer they bought for their office to the ticketing system they just set up is potentially affected by this vulnerability. Some of the affected systems may be located locally on site, while others are hosted in the cloud. Regardless of where the systems are located, the vulnerability will likely have an impact.
Tenable said it observes customers checking 1,000 systems per second and identifying one affected system per second. To test systems online for vulnerability related to the CVE-2021-44228 vulnerability, Trend Micro has provided an online scanner.
It is enough to enter the URL of the website to check in the form field and specify options if necessary to run a check. My problem: I tried some URLs, but got no feedback that they are vulnerable.
- A Python-based scanner for the CVE-2021-44228 vulnerability is mentioned in this blog post as well as here.
- Detectify offers a test for the vulnerability here, though you have to sign up.
LunaSec has described a log4Shell scanner for various platforms (Linux, Windows, macOS) as well as various workarounds against the vulnerability in this article. The scanner can be downloaded and then run locally on one of the affected systems.
According to this article, the U.S. National Security Agency (CISA) has given U.S. agencies until Dec. 24, 2021, to protect log4j vulnerabilities in their systems against Log4Shell.
List of affected/unaffected products
On Github, this page of the NCSC-NL (Nationaal Cyber Security Centrum der Niederlande) contains a (not complete) list of affected or unaffected products, which is constantly updated. Here, administrators could quickly check if a software solution they might be using is listed as vulnerable and request patches from the manufacturer.
I had furthermore already mentioned taht in the blog 0-day CVE-2021-44228 in Java library log4j puts many projects at risk. On this GitHub page, affected services are listed – there is everything that has rank and name. I had published separate articles on Minecraft and VMware here in the blog (see link list at the end of the article). The colleagues from Bleeping Computer have also published a short summary of affected products and countermeasures in this article.
I was still interested in whether my blog, which runs WordPress but is hosted with a web package at Hosteurope, is vulnerable via the CVE-2021-44228 vulnerability. I then checked with support, and was referred to this FAQ. According to this document, my package and the software I use is not affected. Points of contact for further information could also be the following websites.
0-day CVE-2021-44228 in Java library log4j puts many projects at risk
log4j vulnerability CVE-2021-44228: Patch your Minecraft
VMware products threatened by log4j vulnerability CVE-2021-44228
Cookies helps to fund this blog: Cookie settings