REMOTE CODE EXECUTION VULNERABILITY IN LOG4J LIBRARY
Summary
An unauthenticated remote code execution exists in the popular Java library ‘Apache Log4j 2’. This library is used by many Java-based applications for logging purposes. The vulnerability allows an attacker to execute arbitrary code within the Java process.
In short: applications that are remotely accessible, can handle user-input and use Log4j (version lower than 2.16.0) to log this input are potentially vulnerable.
If an attacker is successful in exploiting the vulnerability, they are able to execute arbitrary code and subsequently take over the server running the vulnerable application. The entire attack can be carried out remotely and without requiring authentication. From the vulnerable server, the attacker can obtain access to the rest of the network. Because of these reasons, we classify the impact of this vulnerability as high.
What can you do
What steps to take next
Northwave published a guide on the steps to take next. This guide can be found on https://northwave-security.com/log4j-what-steps-to-take-next/
Mitigation
A new version of Log4j, version 2.16.0, is available at this moment https://logging.apache.org/log4j/2.x/download.html.
If any of the applications you have built yourself contain the Log4j package, we urgently advise to upgrade to the newest version and deploy the new package.
For third-party applications you are using, we advise to contact the vendor for any updates.
If, at this very moment, upgrading is not possible, there are the following mitigation alternatives:
- All versions:
- Removal of the class “JndiLookup” from the Java Classpath (e.g.:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
)
- Removal of the class “JndiLookup” from the Java Classpath (e.g.:
- All versions < 2.16
- Consider taking the applications offline
Detection
The only method to determine with reasonable certainty whether you have vulnerable versions of Log4j is to recursively scan the filesystem, including unpacking JAR files and other archives. A local scanner written by Lunasec can be found on Github https://github.com/lunasec-io/lunasec/releases. DTACT has released a local scanner that has the capability to detect Log4j in docker images. This scanner can be found on the following Github https://github.com/dtact/divd-2021-00038–log4j-scanner.
For urgent support, you can involve the Northwave CERT through 0800-1744 / +31 850 437 909
Important links:
- Log4j what steps to take next: https://northwave-security.com/log4j-what-steps-to-take-next/
- Northwave Threat Response Update 3: https://northwave-security.com/threat-response-update-3-threat-response-remote-code-execution-vulnerability-in-java-log4j-library/
- Northwave Threat Response Update 1: https://northwave-security.com/threat-response-update-remote-code-execution-vulnerability-in-java-log4j-library/
- NCSC Github: https://github.com/NCSC-NL/log4shell
- NCSC nieuwsbericht: https://www.ncsc.nl/actueel/nieuws/2021/december/12/kwetsbare-log4j-applicaties-en-te-nemen-stappen