Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)

Critical vulnerability in the popular logging library, Log4j 2, impacts a number of services and applications, including Minecraft, Steam and Apple iCloud. Attackers have begun actively scanning for and attempting to exploit the flaw.

Update December 21: A frequently asked questions (FAQ) blog post was published on December 17 with information on Log4Shell and other associated vulnerabilities. For up-to-date information, please refer to our blog post: CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities

Background

On December 9, researchers published proof-of-concept (PoC) exploit code for a critical vulnerability in Apache Log4j 2, a Java logging library used by a number of applications and services including but not limited to:

Dubbed Log4Shell by researchers, the origin of this vulnerability began with reports that several versions of Minecraft, the popular sandbox video game, were affected by this vulnerability.

Additionally, it appears that cloud services such as Steam and Apple iCloud are also affected.

This vulnerability is considered so severe that Cloudflare CEO plans to offer protections for all customers.

Analysis

CVE-2021-44228 is a remote code execution (RCE) vulnerability in Apache Log4j 2. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of log4j. The crafted request uses a Java Naming and Directory Interface (JNDI) injection via a variety of services including:

  • Lightweight Directory Access Protocol (LDAP)
  • Secure LDAP (LDAPS)
  • Remote Method Invocation (RMI)
  • Domain Name Service (DNS)

If the vulnerable server uses log4j to log requests, the exploit will then request a malicious payload over JNDI through one of the services above from an attacker-controlled server. Successful exploitation could lead to RCE.

In the case of Minecraft, users were able to exploit this vulnerability by sending a specially crafted message through Minecraft chat.

Both GreyNoise and Bad Packets have detected mass scanning activity searching for servers using Log4j.

There are now reports that this vulnerability is being used to implant cryptocurrency miners.

Proof of concept

The first PoC for CVE-2021-44228 was released on December 9 prior to its CVE identifier being assigned. At the time this blog post was published, there were additional PoCs available on GitHub.

Solution

While Apache published a release candidate on December 6 to address this vulnerability, it was incomplete. Apache released 2.15.0 on December 10.

Log4j 2.15.0 requires Java 8. Therefore, organizations that use Java 7 will need to upgrade before being able to update to the patched version of Log4j.

Apache advises that if patching is not immediately possible, there are mitigation routes that can be taken to thwart attempts to exploit this vulnerability. As the information from Apache continues to be updated, we recommend referring to their guidance here.

Because Log4j is included in a number of web applications and used by a variety of cloud services, the full scope of this vulnerability won’t be known for some time. However, at the time this blog post was published, some products and services that were confirmed to be vulnerable include:

Product/Service Confirmed Affected
Minecraft Yes
Steam Yes
Apple iCloud Yes
Tencent Yes
Twitter Yes
Baidu Yes
Didi Yes
Cloudflare Yes
Amazon Yes
Tesla Yes
ElasticSearch Yes
Ghidra Yes

A GitHub repository is being maintained that highlights the attack surface of this vulnerability.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, we would like to highlight the following plugins (available in plugin set 202112112213 and later) :

Remote checks

  • Plugin ID 156014 - Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP) - This remote check can be used to identify the vulnerability without authentication. This plugin is compatible with Tenable cloud scanners
  • Plugin ID 155998 - Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check) - This plugin listens for an LDAP BIND connection from a target host. It is not compatible with Tenable.io cloud scanners and may fail to return results in certain networks due to firewall rules or interference from other security devices. We continue to explore options for additional detection and recommend Tenable.io cloud scanner customers use the following four plugins.

For an overview of callbacks in Plugin IDs 156014 and 155998, please visit this post on the Tenable community.

Version checks and local detection (authentication required)

  • Plugin ID 155999 - Apache Log4j < 2.15.0 Remote Code Execution
  • Plugin ID 156000 - Apache Log4j Installed (Unix)
  • Plugin ID 156001 - Apache Log4j JAR Detection (Windows)
  • Plugin ID 156002 - Apache Log4j < 2.15.0 Remote Code Execution

Additionally, a comprehensive Tenable.io Web App Scanning (WAS) plugin has been released which can be used to test input fields that can be used to exploit Log4Shell.

  • Plugin ID 113075 - Apache Log4j Remote Code Execution (Log4Shell)

For supporting information on each of the plugins above, please visit this post on the Tenable Community.

Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for this vulnerability. In addition, Tenable.io customers have a new dashboard and widgets in the widgets library. Tenable.sc users also have a new Log4Shell dashboard. To ensure your scanner has the latest available plugins, Tenable recommends manually updating your plugin set. Nessus users, including Tenable.io Nessus scanners, can use the following Nessus CLI command:

nessuscli fix --secure --delete feed_auto_last

For more information on using nessuscli, please refer to this article.

Tenable.sc users can manually update plugins using the [Update] links in the Plugins/Feed Configuration UI as shown in the following screenshot

Organizations that don’t currently have a Tenable product can sign up for a free trial of Nessus Professional to scan for this vulnerability.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.