top of page

CVE-2021-44228 Log4Shell Vulnerability in Apache Log4j 2: Impact, Exploitation, and Mitigation Strategies

CVE Image for report on CVE-2021-44228

Executive Summary

CVE-2021-44228, commonly referred to as Log4Shell, is a critical remote code execution (RCE) vulnerability in the widely-used Apache Log4j 2 library. This vulnerability, which has a CVSS score of 10.0, allows attackers to execute arbitrary code on a server by manipulating log messages or log message parameters. The vulnerability has been actively exploited in the wild, affecting numerous sectors globally, including technology, finance, healthcare, and government. The impact of this vulnerability is far-reaching, with potential consequences including data breaches, ransomware attacks, and unauthorized access to sensitive information.

Technical Information

CVE-2021-44228 affects Apache Log4j2 versions 2.0-beta9 through 2.15.0, excluding security releases 2.12.2, 2.12.3, and 2.3.1. The vulnerability arises from the JNDI features used in configuration, log messages, and parameters, which do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

The vulnerability is particularly dangerous because it requires minimal effort to exploit. An attacker can simply send a specially crafted string to a vulnerable application, which then logs the string using Log4j. The string triggers a lookup to an attacker-controlled server, which responds with malicious code that is executed by the vulnerable application. This can lead to complete system compromise, data exfiltration, and further lateral movement within the network.

The severity of this vulnerability is underscored by its CVSS score of 10.0, indicating the highest level of criticality. The attack vector is network-based, with low attack complexity, no privileges required, and no user interaction needed. The scope of the impact is extensive, affecting confidentiality, integrity, and availability.

Exploitation in the Wild

Since its disclosure, the Log4Shell vulnerability has been actively exploited by threat actors. Attackers have leveraged this vulnerability to deploy various types of malware, including ransomware, cryptominers, and botnets. Notable incidents include the exploitation of VMware vCenter Server, UniFi Network Application, and AD Manager Plus for unauthenticated remote code execution.

In one instance, attackers used the vulnerability to deploy the Conti ransomware, leading to significant disruptions in affected organizations. In another case, the Kinsing malware was deployed to mine cryptocurrency on compromised servers. Additionally, the Mirai botnet was observed exploiting the vulnerability to recruit new devices into its network.

Indicators of Compromise (IOCs) associated with these attacks include unusual outbound network traffic to unfamiliar domains, the presence of unexpected processes or services, and the detection of known malware signatures. Organizations are advised to monitor their networks for these IOCs and take immediate action if any are detected.

APT Groups using this vulnerability

Several Advanced Persistent Threat (APT) groups have been observed exploiting the Log4Shell vulnerability. These groups target a wide range of sectors, including technology, finance, healthcare, and government, across various countries. Notable APT groups include:

APT41: Known for its sophisticated cyber espionage campaigns, APT41 has been observed exploiting Log4Shell to gain unauthorized access to sensitive information and deploy malware.

FIN12: This financially motivated group has leveraged the vulnerability to deploy ransomware and extort affected organizations.

Lazarus Group: Associated with North Korea, the Lazarus Group has used Log4Shell to conduct cyber espionage and financial theft.

Cobalt Strike: While not an APT group, the Cobalt Strike tool has been widely used by various threat actors to exploit Log4Shell and conduct post-exploitation activities.

Affected Product Versions

The following product versions are affected by CVE-2021-44228:

Apache Log4j2: Versions 2.0-beta9 to 2.15.0 (excluding 2.12.2, 2.12.3, and 2.3.1)

VMware vCenter Server: Versions prior to the patched release

UniFi Network Application: Versions prior to the patched release

AD Manager Plus: Versions prior to the patched release

Organizations using these products are strongly advised to update to the latest versions to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk posed by CVE-2021-44228, organizations should take the following steps:

Update to the latest version of Apache Log4j2. Versions 2.16.0 and later have addressed the vulnerability by disabling JNDI lookups by default.

Apply patches provided by vendors for affected products, such as VMware vCenter Server, UniFi Network Application, and AD Manager Plus.

Implement network segmentation to limit the exposure of vulnerable systems to the internet and restrict outbound network traffic to known, trusted domains.

Monitor network traffic for indicators of compromise (IOCs) associated with Log4Shell exploitation, such as unusual outbound connections and the presence of known malware signatures.

Consider using web application firewalls (WAFs) to block malicious payloads targeting the Log4Shell vulnerability.

References

For further information on CVE-2021-44228 and related exploits, please refer to the following resources:

Apache Log4j2 2.14.1 Remote Code Execution: http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html

Log4j2-Log4Shell-Regexes: http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html

Log4j-Payload-Generator: http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html

L4sh-Log4j-Remote-Code-Execution: http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html

Log4j-Remote-Code-Execution-Word-Bypassing: http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html

Log4j-scan-Extensive-Scanner: http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html

VMware Security Advisory: http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html

Log4Shell HTTP Header Injection: http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html

VMware vCenter Server Unauthenticated Log4Shell JNDI Injection Remote Code Execution: http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html

UniFi Network Application Unauthenticated Log4Shell Remote Code Execution: http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html

Mobile Iron Log4Shell Remote Command Execution: http://packetstormsecurity.com/files/167917/Mobile-Iron-Log4Shell-Remote-Command-Execution.html

Full Disclosure: http://seclists.org/fulldisclosure/2022/Dec/2

GitHub - 0-x-2-2/CVE-2021-44228: https://github.com/0-x-2-2/CVE-2021-44228

GitHub - 0x3SC4L4T3/Apache-Log4j-POC: https://github.com/0x3SC4L4T3/Apache-Log4j-POC

GitHub - 0xDexter0us/Log4J-Scanner: https://github.com/0xDexter0us/Log4J-Scanner

GitHub - 0xInfection/LogMePwn: https://github.com/0xInfection/LogMePwn

GitHub - 0xRyan/log4j-nullroute: https://github.com/0xRyan/log4j-nullroute

GitHub - 0xst4n/CVE-2021-44228-poc: https://github.com/0xst4n/CVE-2021-44228-poc

GitHub - 0xsyr0/CVE-2021-44228-log4j-log4shell-Security-Research-Summary: https://github.com/0xsyr0/CVE-2021-44228-log4j-log4shell-Security-Research-Summary

GitHub - 0xsyr0/Log4Shell: https://github.com/0xsyr0/Log4Shell

GitHub - 1lann/log4shelldetect: https://github.com/1lann/log4shelldetect

GitHub - 4jfinder/4jfinder.github.io: https://github.com/4jfinder/4jfinder.github.io

GitHub - Ananya-0306/Log-4j-scanner: https://github.com/Ananya-0306/Log-4j-scanner

GitHub - Azeemering/CVE-2021-44228-DFIR-Notes: https://github.com/Azeemering/CVE-2021-44228-DFIR-Notes

GitHub - BinaryDefense/log4j-honeypot-flask: https://github.com/BinaryDefense/log4j-honeypot-flask

GitHub - CERTCC/CVE-2021-44228_scanner: https://github.com/CERTCC/CVE-2021-44228_scanner

GitHub - CodeShield-Security/Log4JShell-Bytecode-Detector: https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector

GitHub - ColdFusionX/CVE-2021-44228-Log4Shell-POC: https://github.com/ColdFusionX/CVE-2021-44228-Log4Shell-POC

GitHub - CrackerCat/CVE-2021-44228-Log4j-Payloads: https://github.com/CrackerCat/CVE-2021-44228-Log4j-Payloads

GitHub - CreeperHost/Log4jPatcher: https://github.com/CreeperHost/Log4jPatcher

GitHub - DXC-StrikeForce/Burp-Log4j-HammerTime: https://github.com/DXC-StrikeForce/Burp-Log4j-HammerTime

GitHub - Diverto/nse-log4shell: https://github.com/Diverto/nse-log4shell

GitHub - DragonSurvivalEU/RCE: https://github.com/DragonSurvivalEU/RCE

GitHub - ExploitPwner/CVE-2021-44228-Mass-RCE-Log4j: https://github.com/ExploitPwner/CVE-2021-44228-Mass-RCE-Log4j

GitHub - Glease/Healer: https://github.com/Glease/Healer

GitHub - HyCraftHD/Log4J-RCE-Proof-Of-Concept: https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept

GitHub - Hydragyrum/evil-rmi-server: https://github.com/Hydragyrum/evil-rmi-server

GitHub - HynekPetrak/log4shell-finder: https://github.com/HynekPetrak/log4shell-finder

GitHub - HynekPetrak/log4shell_finder: https://github.com/HynekPetrak/log4shell_finder

GitHub - JagarYousef/log4j-dork-scanner: https://github.com/JagarYousef/log4j-dork-scanner

GitHub - Jeromeyoung/log4j2burpscanner: https://github.com/Jeromeyoung/log4j2burpscanner

GitHub - Joefreedy/Log4j-Windows-Scanner: https://github.com/Joefreedy/Log4j-Windows-Scanner

GitHub - KeysAU/Get-log4j-Windows-local: https://github.com/KeysAU/Get-log4j-Windows-local

GitHub - KeysAU/Get-log4j-Windows.ps1: https://github.com/KeysAU/Get-log4j-Windows.ps1

GitHub - KosmX/CVE-2021-44228-example: https://github.com/KosmX/CVE-2021-44228-example

GitHub - Koupah/MC-Log4j-Patcher: https://github.com/Koupah/MC-Log4j-Patcher

GitHub - Kr0ff/CVE-2021-44228: https://github.com/Kr0ff/CVE-2021-44228

GitHub - Labout/log4shell-rmi-poc: https://github.com/Labout/log4shell-rmi-poc

GitHub - LiveOverflow/log4shell: https://github.com/LiveOverflow/log4shell

GitHub - M1ngGod/CVE-2021-44228-Log4j-lookup-Rce: https://github.com/M1ngGod/CVE-2021-44228-Log4j-lookup-Rce

GitHub - Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228: https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228

GitHub - MalwareTech/Log4jTools: https://github.com/MalwareTech/Log4jTools

GitHub - Mormoroth/log4j-vulnerable-app-cve-2021-44228-terraform: https://github.com/Mormoroth/log4j-vulnerable-app-cve-2021-44228-terraform

GitHub - MrHarshvardhan/PY-Log4j-RCE-Scanner: https://github.com/MrHarshvardhan/PY-Log4j-RCE-Scanner

GitHub - NS-Sp4ce/Vm4J: https://github.com/NS-Sp4ce/Vm4J

GitHub - Nanitor/log4fix: https://github.com/Nanitor/log4fix

GitHub - NorthwaveSecurity/log4jcheck: https://github.com/NorthwaveSecurity/log4jcheck

GitHub - Occamsec/log4j-checker: https://github.com/Occamsec/log4j-checker

GitHub - OlafHaalstra/log4jcheck: https://github.com/OlafHaalstra/log4jcheck

GitHub - OopsieWoopsie/mc-log4j-patcher: https://github.com/OopsieWoopsie/mc-log4j-patcher

GitHub - Puliczek/CVE-2021-44228-PoC-log4j-bypass-words: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

GitHub - PwnC00re/Log4J_0day_RCE: https://github.com/PwnC00re/Log4J_0day_RCE

GitHub - RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs: https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs

GitHub - Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs: https://github.com/Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs

GitHub - StandB/CVE-2021-44228-poc: https://github.com/StandB/CVE-2021-44228-poc

GitHub - Tai-e/CVE-2021-44228: https://github.com/Tai-e/CVE-2021-44228

GitHub - TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit: https://github.com/TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit

GitHub - TheInterception/Log4J-Simulation-Tool: https://github.com/TheInterception/Log4J-Simulation-Tool

GitHub - Y0-kan/Log4jShell-Scan: https://github.com/Y0-kan/Log4jShell-Scan

GitHub - ab0x90/CVE-2021-44228_PoC: https://github.com/ab0x90/CVE-2021-44228_PoC

GitHub - ahmad4fifz/CVE-2021-44228: https://github.com/ahmad4fifz/CVE-2021-44228

GitHub - ainrm/log4j-scan: https://github.com/ainrm/log4j-scan

GitHub - alexandre-lavoie/python-log4rce: https://github.com/alexandre-lavoie/python-log4rce

GitHub - alexandreroman/cve-2021-44228-workaround-buildpack: https://github.com/alexandreroman/cve-2021-44228-workaround-buildpack

GitHub - alexbakker/log4shell-tools: https://github.com/alexbakker/log4shell-tools

GitHub - ankur-katiyar/log4j-docker: https://github.com/ankur-katiyar/log4j-docker

GitHub - atnetws/fail2ban-log4j: https://github.com/atnetws/fail2ban-log4j

GitHub - authomize/log4j-log4shell-affected: https://github.com/authomize/log4j-log4shell-affected

GitHub - aws-samples/kubernetes-log4j-cve-2021-44228-node-agent: https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent

2 views0 comments

Comments


bottom of page