What is CVE-2021-44228?

CVE-2021-44228 is a remote code execution vulnerability that is affecting multiple versions of the Apache Log4j 2 library.
This vulnerability is being actively exploited in the wild with a number of instances being reported.

Even when remote code execution exploitation is not possible it is often possible to extract sensitive information from environment variables via a DNS request.
A huge variety of systems are affected by this issue, the complete list of affected products is currently unknown. However a community effort to document these is underway here: https://github.com/authomize/log4j-log4shell-affected

More information to follow as the situation evolves.

AppCheck Log4j Research

Over the past week the AppCheck research team has been closely monitoring the log4j vulnerability and researching new vectors of exploitation.
The following summarises some of the key points and developments:

1. Currently, much of the observed detection attempts only scratch the surface

Real word observation of malicious threat actors (and others) searching for the vulnerability show a methodology that is very limited and designed to catch the low hanging fruit. The most common attempts involve embedding the payload within common HTTP request headers to any arbitrary request, usually the web root. Whilst this may work in some cases, it will usually only be successful if the target web server platform itself is logging via log4j, for example to create an access or request error log.

In many real-world cases however, the vulnerable logging function isn’t used in this way and its not until the hosted application functionality is properly flexed that the vulnerability is triggered.

We therefore recommend that AppCheck customers run a full crawl AppCheck scan of your web applications as well as using the faster log4j profile.

We have added a profile named “Log4j Full App Crawl” that uses the full crawler and only the plugins used to detect the log4j vulnerability. This differs from the original profile in that it will fully crawl the application and test all parameters by default to provide wider coverage.

Note that a full log4j scan is included with all standard scan profiles by default.

2. This isn’t a web server vulnerability

Naturally, the most common vectors for this vulnerability are via the web server and web applications. These are likely to remain the most common vectors for exploitation for some time to come. However, this flaw exists within a Java library that is used across a myriad of systems and impacts them in the same way. As the number of easy to exploit web servers beings to dwindle, malicious actors are likely to expand their capabilities to include other protocols.

At the time of writing (16^th December 2021) AppCheck has added a number of vectors including SMTP, FTP and SSH as well as HTTP(s) and HTTP/2. These are included in all profiles by default for both infrastructure and web application scans.

3. Delayed execution

A common approach for detecting this vulnerability is to submit a payload containing a specially crafted hostname then observe a DNS pingback for that hostname. In many cases the scanners that are adopting this technique are expecting the DNS lookup to be immediate or within a few seconds. This can cause some cases to be missed, for example when log messages are buffered or delayed. In several real world cases we have observed a situation where data submitted via the application is used to create a job for another system that when processed triggers the flaw, this of course may result in a significant delay between scan and payload execution.

AppCheck has added delayed execution detection so to allow detection when the payload triggers outside of the initial scan window.

4. Active exploitation against known vectors.

Over the past week there has been a sharp uptick in successful attacks targeting known triggers in popular software such as VMWare, Mobile Iron and Liferay CMS’s.

AppCheck has added a database of known triggers to our detection to quickly detect these vectors in infrastructure scanning. We will continue to add to this list as vectors become known.

How to detect CVE-2021-44228

If you are an AppCheck customer, the good news is your regular scans will have already picked up this vulnerability, and over the weekend (11th and 12th ) AppCheck has been closely monitoring public attack vectors and has released a comprehensive detection that is available to all clients across all scans and profiles. We have also added a specific template to run a quick check for this CVE.

Current features include:

• Detection via HTTP servers and intermediaries by injecting into parameters, paths and headers
• Known triggers are tested for popular software such as Mobile Iron, VMWare, LifeRay and others
• Payload obfuscation to evade some flawed filters deployed via Web Application Firewalls and Cloud Security solutions
• Multiple protocol handler support; dns, rmi and ldap by default
• Detection via Web Application Scanning and Infrastructure scanning
• Attacks via DNS response; Submitting a specially crafted hostname that when resolved will return the log4shell payload with the name text of the A record. If this record is then resolved and stored it will trigger a ping back to AppCheck Sentinel
• Detection via HTTP, HTTP2, SSH, FTP and SMTP
• Delayed execution detection

The support team are on hand for any queries but please appreciate we anticipate high volumes of requests regarding this vulnerability so response times may be slower than usual.