CVE-2021-44228 vulnerability in Apache Log4j library
2021-12-13 23:04:06 Author: securelist.com(查看原文) 阅读量:82 收藏

Incidents

Incidents

minute read

CVE-2021-44228 summary

Last week information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). The threat, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system. A publicly published Proof-of-Concept, as well as the vulnerability’s easy exploitability, make this situation particularly dangerous.
Kaspersky is aware of PoCs in the public domain and of the possible exploitation of CVE-2021-44228 by cybercriminals. Our products protect against attacks leveraging the vulnerability, including PoC usage. Possible detection names are:

  • UMIDS:Intrusion.Generic.CVE-2021-44228.*
  • PDM:Exploit.Win32.Generic

KATA verdicts:

  • Exploit.CVE-2021-44228.TCP.C&C
  • Exploit.CVE-2021-44228.HTTP.C&C
  • Exploit.CVE-2021-44228.UDP.C&C

Geography of CVE-2021-44228 scan and exploitation attempts, December 2021

CVE-2021-44228 technical details

The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes, there is a high possibility that this vulnerability can be exploited. Almost all versions of Log4j are vulnerable, from 2.0-beta9 to 2.14.1.
Log4j includes a Lookup mechanism that could be used to make requests through special syntax in a format string. For example, it can be used to request various parameters such as the version of the Java environment via ${java:version}, etc. Then, by specifying the jndi key in the string, the Lookup mechanism uses JNDI API. By default, all requests are done using the prefix java:comp/env/; however, the authors implemented the option of using a custom prefix by means of a colon symbol in the key. This is where the vulnerability lies: if jndi:ldap:// is used as the key, the request goes to the specified LDAP server. Other communication protocols, such as LDAPS, DNS and RMI, can also be used.
Thus, an attacker-controlled remote server could return some object to a vulnerable server, potentially leading to arbitrary code execution in the system or to leakage of confidential data. All an attacker should do is send a special string through the mechanism that writes this string to a log file and is therefore handled by the Log4j library. This can be done with simple HTTP requests, for example, ones sent through web forms, data fields, etc, or with any other kind of interactions that use server-side logging.

Mitigations for CVE-2021-44228

Indicators of compromise (IOC)

1cf9b0571decff5303ee9fe3c98bb1f1
194db367fbb403a78d63818c3168a355
18cc66e29a7bc435a316d9c292c45cc6
1780d9aaf4c048ad99fa93b60777e3f9
163e03b99c8cb2c71319a737932e9551

Reports

The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group.

In this report we provide details on a malicious VBS implant distributed via MS Excel droppers and a fake “Kaspersky Update Agent” which we attribute to WIRTE APT who may be linked to Gaza Cybergang.

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.


文章来源: https://securelist.com/cve-2021-44228-vulnerability-in-apache-log4j-library/105210/
如有侵权请联系:admin#unsafe.sh