Day 29: What is Log4J Vulnerability or Log4Shell ?

What is Log4J Vulnerability or Log4Shell

Millions of machines are vulnerable to Log4Shell, a web vulnerability, which uses Log4j, a mysterious but essentially universal piece of software. The software is used to document all kinds of internal computer system operations in a variety of computer systems.

The way Log4Shell operates is by taking advantage of a Log4j feature that lets users specify custom code for structuring log messages. If another server maintains a directory connecting user names and actual names, this capability enables Log4j, for instance, to log not only the username associated with each attempt to log in to the server but also the person’s true name. The Log4j server must speak with the server that stores the real names to accomplish this.

This particular vulnerability was observed in the following by security researchers:

  1. Elknot 
  2. M8220 
  3. SitesLoader 
  4. XMRIGminer  
  5. Mirai 
  6. Kinsing 
  7. Muhstikbotnet
  8. (new)KhonsariRansomeware
  9. OrcusRemoteAccessTrojan

 

photo by Zeron

 

 

photo by Zeron

What to do about Log4J as a company or individual?

1. Verify to see if the vulnerability affects you.

There are several techniques to determine whether you are vulnerable:

Static analysis is used:

• If you create software that uses the Java Virtual Machine (JVM) and is based on Java, Scala, Kotlin, Groovy, or Clojure, be sure you are not utilizing a version of the Log4J-core JAR that is less than 2.16.0.

• Check the other software you are using to see if it is vulnerable based on the NCSC-published NL’s list. A similar register can be found on CISA’s website.

Dynamic analysis used:

• You can find out if you are vulnerable by using a variety of tools, which NCSC-NL has again properly listed in their Github repository. See which one you prefer in light of your current circumstances.

2. Patch Immediately!

When you discover vulnerable software, patch it! When you create your program, you must at the very least update Log4J-core to version 2.16.0. (2.12.2 when using Java7). When using third-party software, make sure to update it or follow your vendor’s patching instructions if it contains a vulnerable version of Log4J. In the absence of an upgrade or instructions, get in touch with the software’s manufacturer and request assistance. Does that not also assist? Continue reading to learn about further options.

3. Event and Security Monitoring

Make sure your security incidents and event monitoring (SIEM) system is set up properly. Make sure you can recognize when the Log4Shell exploit has been used on your system and that you can identify unusual behavior on your system. 

4. Be ready to respond to incidents

Be prepared to respond to incidents at all times. When security issues occur, make sure you have a run-book and a call tree prepared. You should get in touch with a qualified incident response team if you believe or discover that your application landscape has been effectively abused.

Summary of the Log4J vulnerability or Log4Shell

• A brand-new critical remote code execution vulnerability has been discovered in the Java-based logging software Apache Log4j2, and it is being tagged as CVE-2021-44228.

• Exploit proof-of-concept code is readily available, and extensive internet scanning suggests that exploitation is currently taking place.

• Exploitation attempts now provide payloads for widespread cryptocurrency miners.

• Because Log4j2s is widely used in several online applications, this vulnerability affects significant services and applications globally.

• Due to how rapidly and simply exploitation attempts are being conducted, security-focused companies and researchers suggest updating impacted services to the most recent version of Log4j2.

Hope you enjoyed this blog post on an overview of Google Dorking. Well, that will be all for the Day 29 post. Catch you in the next post. 😉