Just in Time Bulletin: CVE-2021-44228 Log4Shell
What is CVE-2021-44228?
CVE-2021-44228 is a vulnerability in Java library
log4j. LunaSec has coined the vulnerability: Log4Shell. It was originally discovered in Minecraft, but because of the popularity of this particular Java library, this exploitation is much farther reaching. What makes it even more dangerous is its ability for remote execution. A simple input of a code string enables attackers to take control of the affected application/server when the logs are processed and the attacker’s malicious code is executed. To determine if you’re affected, review the log files for any services using affected Log4j versions (stated below). If they contain user-controlled strings they could be affected. Given the severity of this vulnerability, we recommend treating this situation like a breach already has taken place.
How bad is this?
- This is a widely used and very popular Java library
- This is a remotely exploitable vulnerability
- This vulnerability does NOT require advanced skill to be exploited
Who is affected by this?
- Likely anyone using Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo
- Users using version 2.10.0 to 2.14.1
How are they exploited?
- Data from the User gets sent to the server (via any protocol)
- The server logs the data in the request, containing the malicious payload:
log4jvulnerability is triggered by this payload and the server makes a request to
- This response contains a path to a remote Java class file which is injected into the server process
- This injected payload triggers a second stage, and allows an attacker to execute arbitrary code.
How do I protect myself?
NopSec recommends that customers set
log4j2.formatMsgNoLookupsto true. The vulnerability can only be exploited if the
log4j2.formatMsgNoLookups option in the library’s configuration is set to false. This feature is default set to false is all
log4j versions since 2.10.0. You can do so by adding
‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.
If you have additional questions, please don’t hesitate to reach out to your Customer Success Engineer.