How To Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE In Log4j Logging Library?

Cybersecurity Researchers disclosed a new highly critical 0-day vulnerability in Apache Log4j that is being exploited in the wild. The vulnerability tracked as CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. Since the vulnerability is highly critical and it can be easily exploited just by sending a line of text, it is highly important to fix the CVE-2021-44228 Log4Shell vulnerability- A Critical 0-DAY RCE in Log4j Apache Logging Library.

What Is Log4j Library?

Log4j is a logging framework written in Java and distributed under the Apache Software License. It is predominately used to capture, format, and publish the logging information produced by systems and applications to multiple destinations.  It has three different components to perform its activities.

Summary Of CVE-2021-44228 Log4Shell Vulnerability:

The 0-day flaw CVE-2021-44228 allows attackers to carry out unauthenticated remote code execution attacks on any application that uses the Apache web server and affected versions of the Log4j logging utility. The vulnerability is considered highly critical since it can be easily exploited just by sending a line of specially crafted code.

Apache Foundation said in an advisory that “Apache Log4j <=2.14.1 JNDI features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Impact of the CVE-2021-44228 Log4Shell Vulnerability:

Threat actors can abuse this vulnerability to perform a wide range of cyberattacks such as deploying coin miners, supply chain attacks, deploying malware like remote access trojans and ransomware, remote code execution, arbitrary code execution, and denial of services.

Who Are Impacted By The CVE-2021-44228 Log4Shell Vulnerability?

Log4j library is used as a logging platform in multiple popular applications such as Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla, Twitter, and video games such as Minecraft. Anybody who uses the vulnerable version of Log4j in their application is prone to the attack. Please go through the list of affected applications by the vulnerability.

Products Affected:

Log4j Versions Vulnerable To The CVE-2021-44228 Log4Shell Vulnerability:

The CVE-2021-44228 Log4Shell Vulnerability affects almost all Log4j 2 versions are affected.2.0-beta9 <= Apache log4j <= 2.14.1

Log4j version 1 is not affected by the flaw. However, it is affected by a different remote code execution vulnerability.

How To Fix CVE-2021-44228 Log4Shell Vulnerability?

However, before you fix CVE-2021-44228 Log4Shell Vulnerability, it is important to detect the vulnerable machines on your network. Let’s see how to detect CVE-2021-44228 Log4Shell Vulnerability in your server.

Mitigation Actions:

Different versions will have different mitigation advisories. Loot at the table below:

Note: It has been stated that setting com.sun.jndi.rmi.object.trustURLCodebase to false would mitigate the CVE and this is false by default in Java 8u121 however this information has been removed so it is no longer believed this is a sufficient mitigation.

Network IOCs:

Block the below IOCs on Firewalls, Proxies, and other Security Monitoring solutions and keep track of them if any connection is established/observed with them in the Infrastructure.

IP addresses and domains that have been observed in Log4j exploit attempts

134[.]209[.]26[.]39199[.]217[.]117[.]92pwn[.]af188[.]120[.]246[.]215kryptoslogic-cve-2021-44228[.]comnijat[.]space45[.]33[.]47[.]24031[.]6[.]19[.]41205[.]185[.]115[.]217log4j[.]kingudo[.]de101[.]43[.]40[.]206psc4fuel[.]com185[.]162[.]251[.]208137[.]184[.]61[.]190162[.]33[.]177[.]7334[.]125[.]76[.]237162[.]255[.]202[.]2465[.]22[.]208[.]7745[.]155[.]205[.]233165[.]22[.]213[.]147172[.]111[.]48[.]30133[.]130[.]120[.]176213[.]156[.]18[.]247m3[.]wtfpoc[.]brzozowski[.]io206[.]188[.]196[.]219185[.]250[.]148[.]157132[.]226[.]170[.]154flofire[.]de45[.]130[.]229[.]168c19s[.]net194[.]195[.]118[.]221awsdns-2[.]org2[.]56[.]57[.]208158[.]69[.]204[.]9545[.]130[.]229[.]168163[.]172[.]157[.]14345[.]137[.]21[.]9bingsearchlib[.]com45[.]83[.]193[.]150165[.]227[.]93[.]231yourdns[.]zone[.]hereeg0[.]rudataastatistics[.]comlog4j-test[.]xyz79[.]172[.]214[.]11152[.]89[.]239[.]1267[.]205[.]191[.]102ds[.]Rce[.]ee38[.]143[.]9[.]7631[.]191[.]84[.]199143[.]198[.]237[.]19

(Ab)use of listener-as-a-service domains.These domains can be false positive heavy, especially if these services are used legitimately within your network.

interactsh[.]cominteract[.]shburpcollaborator[.]netrequestbin[.]netdnslog[.]cncanarytokens[.]com

This IP is both a listener and a scanner at the same time. Threat hunting for this IOC thus requires additional steps.

45[.]155[.]205[.]233194[.]151[.]29[.]154158[.]69[.]204[.]9547[.]254[.]127[.]78

Permanent Fix:

This CVE-2021-44228 Log4Shell Vulnerability is fixed in Log4j 2.15.0.  The newly fixed log4j-core.jar is available for download from Apache Foundation. And, it is also made available on Maven Central.

This is how you need to fix the CVE-2021-44228 Log4Shell Vulnerability on your affected servers.

We hope this post would help you Fix CVE-2021-44228 Log4Shell- A Critical 0-DAY RCE in Log4j Logging Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium & Instagram, and subscribe to receive updates like this.