Log4Shell is the latest vulnerability that brings to mind many administrators who have seen how their servers are vulnerable to remote attacks. It is a severe security flaw, which can be exploited in a simple way. Also, it can affect a large number of users. It has been found to affect cloud services such as Apple iCloud or Steam. In this article we explain what it is exactly, how it works and of course what to do to solve this problem.
What is Log4Shell
It is a vulnerability that affects the popular Java registry library Log4j , developed by Apache . It is widely used in all kinds of services and software. For example in games like Minecraft, in addition to cloud services. It is used for applications to store a record or log during their operation.
We can say that this problem affects millions of servers around the world. All of them are vulnerable and can be attacked remotely. By exploiting the Log4Shell flaw, an attacker could sneak malware in and take full control of that server. Basically he would have a free hand to do whatever he wanted.
The vulnerability has been registered as CVE-2021-44228 and a CVSS score of 10. In order to exploit it, the attacker simply needs the application to register a special string, a series of characters. Computer security researcher Matthew Prince, on his Twitter profile, reports evidence that the exploit was available at least 9 days before its publication, although there is no evidence that it has been used widely until then.
However, now there are many attackers who are exploiting the Log4Shell vulnerability and being able to carry out their attacks. They can, for example, install cryptocurrency miners on a server or turn affected devices into a botnet.
How to detect this vulnerability
Java is estimated to be present on some 3 billion devices worldwide. The vast majority of programmers use Log4j, so there are many who can be vulnerable to this problem. Is it possible to know if a system is vulnerable to Log4Shell? There are several ways to do it and one of the easiest is to know the version of Log4j you have installed. The vulnerable ones range from 2.0-beta9 to 2.14.1.
In addition, on GitHub we can find the steps to execute commands and detect if the vulnerability registered as CVE-2021-44228 is present or not. This Python-based scanner acts as a detector for the Log4Shell vulnerability.
We can say that the easiest way to detect if a remote endpoint is vulnerable is to trigger a DNS query . What the exploit does is that the hypothetical vulnerable server tries to obtain remote code. By using the address of a free DNS registration tool in the exploit chain, we can detect when the vulnerability is triggered. As they explain in Lunasec , we can use CanaryTokens for it.
How to fix it on your system
If you know that your system is vulnerable and you want to protect it, there are different ways. The most recommended right now is to update the version of Log4j to 2.15.0 , which corrects the problem. You can download it from the official Apache website. It is very important to always have the latest versions and this is a clear example of this.
You can also consult the official Log4j security announcement, where you will find all the information on the steps to correct the vulnerability and install the necessary patches.
However, due to the enormous importance of this security flaw, different options have arisen that acted as “momentary patches” and thus be able to correct or at least reduce the problem. An example is the script launched by Cybereason , which relies on the vulnerability itself to disable a configuration on a remote and vulnerable instance of Log4Shell.
Also, another temporary mitigation until there was a patch was to set the log4j2.formatMsgNoLookups parameter; to True when starting the Java virtual machine.
Ultimately, the Log4Shell vulnerability is very dangerous and has put millions of devices around the world at risk. It is essential to correct the problem as soon as possible and there is nothing better than updating to the latest version.
