Blog

Critical ‘Log4Shell’ zero-day vulnerability likely to be widespread – here’s how to mitigate it

Dec 13, 2021

Dec. 21, 2021:

Mitigations updated, please see below.

 

Dec. 18 2021:

Our parent company, Trend Micro, is now offering a Log4Shell vulnerability assessment. Get an immediate overview of attack surfaces and how to mitigate risks.

 

 

An easily-exploited critical vulnerability in the Apache Log4j logging tool, now commonly referred to as ‘Log4Shell’, could be used by attackers to achieve remote code execution (RCE). This logging utility is extremely common in enterprise and cloud applications, so it’s very important that all organizations make sure that this vulnerability could not be used in an attack on their system. The vulnerability is rated a 10/10 severity due to being in a commonly used application and trivially easy to exploit. According to IT News, researchers have confirmed that Apple’s iCloud service, Valve’s Steam platform, and Microsoft’s Minecraft game are subject to this vulnerability, and it could also be used to de-anonymize TOR servers. On Dec. 11, Microsoft announced that they had already observed activities including “installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.”

 

The vulnerability, discovered on December 9th, 2021 and registered under CVE-2021-44228, is a Java Naming and Directory Interface™ injection vulnerability affecting versions 2.0-beta 9 to 2.14.1. Attackers can exploit the vulnerability by including a malicious payload in a logged message which then triggers a lookup to a malicious server. The response from the malicious server can load a malicious Java object, which is used to achieve RCE. Furthermore, if attackers have control of log messages or log message parameters, this can also be a means of executing arbitrary code.

 

Mitigation

Patching

We recommend that, whenever possible, you update vulnerable versions of Log4j to version 2.15.0 or higher as soon as possible.

Preventative Rules for Edge Series Products 

An Out-of-Cycle (OoC) release for EdgeIPS/EdgeFire, EdgeIPS LE, and EdgeIPS Pro will be published on 2021/12/13.

This OoC Release is for the Apache log4j Remote Code Execution – CVE-2021-44228. The attacks for the vulnerability are based on Object-Graph Navigation Language (OGNL) expression. It is a common expression used for web applications, and it is easy to obfuscate to evade IPS rules. Some log-only rules are made for detecting suspicious network behaviors in this situation. The users can modify the rule actions based on their environments.

 

The content of the OoC release:

Rule List Severity Level Default Action
1230268  WEB Apache log4j Remote Code Execution -1.u (CVE-2021-44228) 4 Drop packet and Reset connection
1230269  WEB Apache log4j Remote Code Execution -1.h (CVE-2021-44228) 4 Drop packet and Reset connection
1230272  Object-Graph Navigation Language (OGNL) expression ENV detected -1.u (CVE-2021-44228) 3 Log only
1230273  Object-Graph Navigation Language (OGNL) expression ENV detected -2.h (CVE-2021-44228) 3 Log only
1230274  WEB Apache log4j Remote Code Execution -2.u (CVE-2021-44228) 4 Drop packet and Reset connection
1230275  WEB Apache log4j Remote Code Execution -2.h (CVE-2021-44228) 4 Drop packet and Reset connection
1230276  WEB Apache log4j Remote Code Execution (suspicious) -1.u (CVE-2021-44228) 3 Log only
1230277  WEB Apache log4j Remote Code Execution (suspicious) -1.h (CVE-2021-44228) 3 Log only
1230278  WEB Apache log4j Remote Code Execution (suspicious) -2.u (CVE-2021-44228) 3 Log only
1230279  WEB Apache log4j Remote Code Execution (suspicious) -2.h (CVE-2021-44228) 3 Log only

 

 

The rules above provide limited protection against some of the known behavior around the exploit, but it is not a complete replacement for the actual vendor patch. We should not be setting any expectation that these protections are good enough on their own to completely protect against exploits. Due to the FP potential, some severity-three rules need to enable drop action manually. For a complete solution, please update Log4j to 2.15.0 or higher.

 

Dec. 21 2021 Update:

Apache Log4j Security Vulnerabilities are still developing. CVE-2021-44228-based attacks are not only used for HTTP but also for SMTP and POP3. Its attack scope is enlarged. Additionally, some related vulnerabilities have also been discovered, such as CVE-2021-45046. In the beginning, this was considered a DoS vulnerability, but it was revealed to be an RCE/LCE vulnerability when additional exploits were discovered.

 

A further out-of-cycle (OoC) rule set release was issued to mitigate the threats. The newly released rules are listed below. A set of extended CVE-2021-44228  attacks and a part of CVE-2021-45046 attacks are covered. Some default rule actions are set to “Log only” because the detecting targets are suspicious payloads. Users can modify the rule actions based on their environments.

 

Rule List Severity Level Default Action
1230316  WEB Apache log4j Remote Code Execution -3.h (CVE-2021-44228) 4 Drop packet and Reset connection
1230319  WEB Apache log4j Remote Code Execution -3.u (CVE-2021-44228) 4 Drop packet and Reset connection
1230318  WEB Apache log4j Denial of Service (CVE-2021-45046) 4 Drop packet and Reset connection
1230331  WEB Apache log4j Denial of Service -2 (CVE-2021-45046) 4 Drop packet and Reset connection
1230334  SMTP Apache log4j Remote Code Execution (CVE-2021-44228) 4 Drop packet and Reset connection
1230335  POP3 Apache log4j Remote Code Execution (CVE-2021-44228) 4 Drop packet and Reset connection
1230295  WEB Apache log4j Remote Code Execution -2.b (CVE-2021-44228) 3 Log only
1230320  WEB Apache log4j Remote Code Execution -3.b (CVE-2021-44228) 3 Log only
1230332  WEB Apache log4j Remote Code Execution -4 (CVE-2021-44228) 3 Log only
1230299  Object-Graph Navigation Language (OGNL) expression ENV detected -2.b (CVE-2021-44228) 3 Log only
1230298  WEB Apache log4j Remote Code Execution (suspicious) -2.b (CVE-2021-44228) 3 Log only

 

We recommend that, whenever possible, vulnerable versions of Log4j are updated to version 2.17.0 or higher.

TXOne image
TXOne Networks

Need Assistance with OT Security ?

Our team is here to assist with OT security challenges and provide guidance on implementing effective solutions.​