Sonicwall Security Blog - Log4 RCE

Sonicwall blog post on Apache Log4 remote code execution vulnerability

Overview:

Apache Log4j is a Java-based logging utility that can be configured through a configuration file or through Java code. Apache Log4j provides many features, such as reliability, extensibility, multiple configuration support including xml/json/yaml, excellent performance and more.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. Here is an example of the attack code:

Workarounds and protections:

To mitigate the issue, in previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.

SonicWall Capture Labs Threat Research is aware of vulnerability in Log4j Java-based logging library and has released the following IPS signature to detect the exploitation of threats related to CVE-2021-44228:  

  • 2307 Apache Log4j2 JNDI Log Messages Remote Code Execution

  • 18198  Apache Log4j2 JNDI Log Messages Remote Code Execution LDAPS

  • 18199  Apache Log4j2 JNDI Log Messages Remote Code Execution NIS

  • 18200  Apache Log4j2 JNDI Log Messages Remote Code Execution NDS

  • 18201  Apache Log4j2 JNDI Log Messages Remote Code Execution COBRA

  • 18202  Apache Log4j2 JNDI Log Messages Remote Code Execution RMI

  • 18203  Apache Log4j2 JNDI Log Messages Remote Code Execution IIOP

  • 18204  Apache Log4j2 JNDI Log Messages Remote Code Execution DNS 2

  • 2311  Apache Log4j2 JNDI Log Messages Remote Code Execution HTTP

  • 2315  Apache Log4j2 JNDI Log Messages Remote Code Execution DNS

  • 2328  Apache Log4j2 JNDI Log Messages Remote Code Execution HTTPS

SonicWall Capture Labs Threat has also released the following WAF signature to protect their customer:

  • 1116 Apache Log4j2 JNDI Log Messages Remote Code Execution

Many attacks have been observed for the past 4 day

Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Owen Anderson