Critical Zero-day vulnerability in Apache Log4j Java library
Security researchers has discovered a new zero-day vulnerability dubbed Log4Shell in Apache Log4j Java-based logging library tracked as CVE-2021-44228 which has scored a perfect 10/10 in the CVSS rating (Critical). The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the vulnerable system and affects all versions from 2.0-beta9 to 2.14.1, this vulnerability can be exploited through a single string of text. Successful exploitation of this vulnerability could lead to a complete system takeover.
Some experts are calling this one of the most critical vulnerabilities they have seen in years!
It is recommended to update Log4j to its latest version 2.15.0
Block all IOC’s on firewall
Check all internet facing applications that are vulnerable to the exploit in the environment
Recommendations for IOCs:
For releases >=2.10:
Vulnerability can be mitigated by setting either the system property "log4j2.formatMsgNoLookups"
the environment variable "LOG4J_FORMAT_MSG_NO_LOOKUPS" to “true”
For releases from 2.0-beta9 to 2.10.0:
The mitigation is to remove the "JndiLookup" class from the classpath:”zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”.
Reference URLs for IOCs:
https://logging.apache.org/log4j/2.x/security.html https://www.virustotal.com/gui/collection/04c6ab336e767ae9caee992902c4f3039ccee24df7458cd7cbaf3182644b3044 https://github.com/CriticalPathSecurity/Zeek-IntelligenceFeeds/blob/master/log4j_ip.intel https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217