REMOTE CODE EXECUTION VULNERABILITY IN LOG4J LIBRARY

Summary

An unauthenticated remote code execution exists in the popular Java library ‘Apache Log4j 2’. This library is used by many Java-based applications for logging purposes. The vulnerability allows an attacker to execute arbitrary code within the Java process.

In short: applications that are remotely accessible, can handle user-input and use Log4j (version lower than 2.15.0) to log this input are potentially vulnerable.

If an attacker is successful in exploiting the vulnerability, they are able to execute arbitrary code and subsequently take over the server running the vulnerable application. The entire attack can be carried out remotely and without requiring authentication. From the vulnerable server, the attacker can obtain access to the rest of the network. Because of these reasons, we classify the impact of this vulnerability as high.

What can you do

The full mitigation steps with relevant commands, and tools are described in the following Northwave threat response https://northwave-security.com/threat-response-update-remote-code-execution-vulnerability-in-java-log4j-library/

In summary:

  1. Check for known vulnerable software
  2. Scan for known vulnerable software using EDR/vulnerability management tooling
  3. Scan for known vulnerable software using a online scanning tool
  4. Scan for known vulnerable software locally
  5. Update all vulnerable log4j versions to the latest version

What will Northwave do

  1. Detect exploitation attempts on endpoints using Microsoft Defender for Endpoint or ESET
  2. Detect perimiter exploit attempts via the Northwave NIDS
  3. Inform Northwave Vulnerability Management customers if any vulnerable Log4j instances are found
  4. Monitor any developments proactively and add new possible detections to the platform

If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Important links:

Timeline:

DATE: 13-12-2021 | TIME: 07:02

Update: First known ransomware using log4j

DATE: 12-12-2021 | TIME: 16:00

Update: NCSC releases maintained list of vulnerable applications

https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen

https://github.com/NCSC-NL/log4shell

DATE: 10-12-2021 | TIME: 00:00

Update: Northwave releases online log4j vulnerability checker.

https://github.com/NorthwaveSecurity/log4jcheck/

DATE: 09-12-2021 | TIME: 00:00

Update: Lunasec releases vulnerability

https://www.lunasec.io/docs/blog/log4j-zero-day/