What is Log4j?
The log4j space stored in the CVE database with code CVE-2021-44228 is a remote code execution space located in the log4j library of the Apache web server. Thus, Apache log4j works on the basis of Java Naming and Directory Interface, allows attackers to query log messages, and allows code processing on servers that send lookup requests. These servers can be LDAP, DNS, or other log4j libraries. JNDI is a java api. This api allows you to search for data by connecting through services such as LDAP and DNS. Using this space, a potential attacker can send an LDAP request to any web server. The malicious code inside the java class returned by this query can run on the web server.
What are the effects?
As the main effects of Log4j, we can show that all Java services running with JINDI api have become potential targets, and hackers who do not have very deep knowledge can use such log4j vulnerabilities. Currently, a cloud of the same name has been found in the cloud services of large companies such as Steam, Minecraft, Apple and iCloud. In addition to running code on the attacking server, this vulnerability also allows ransomware, trojans, worms, etc. to enter the server. can download malware such as. However, it is possible to detect a potential pest by locating the last payload using the ldapsearch tool to find the attackers.
How can we find out?
To detect a Log4j loophole, you can check for this loophole on Github by downloading the appropriate version of this script for your operating system and CPU architecture and scanning your files with the extension * .jar or * .war in your personal projects.
Sample codes:
Linux and OSX: log4shell scan is your-project /
Windows: log4shell.exe scan is your-project- /
You can also detect this loophole with the log4j scanner released by Portswigger for the BurpSuite tool. You can download this tool from Github via BurpSuite's BApp Store. It is recommended that you watch this video guide for more details.
How can we prevent it?
The log4j vulnerability is still able to maintain its existence in versions lower than log4j 2.15.0. However, with version 2.16.0, the gap has been fixed. You can download this version from Apache's log4j page. If you are running versions higher than 2.10.0 (2.10.0-2.14.0), you can fix the value "log4j2.formatMsgNoLookups" from the system characteristics by setting it to "true". For versions 2.0-beta9 to 2.10.0, you can prevent this by deleting the JndiLookup class. For example,
zip -q -d log4j-core-*.jar.org/apache/logging/log4j/core/lookup/JndiLookup.class
You can contact the professional team of Defscope to detect and prevent this gap in your enterprise.
Email: support@defscope.com
Phone: +99412 4092565, 055 2040826
References: