Positive Technologies Offers Solutions to Cope with Critical Vulnerability in Popular Log4j library

The vulnerability threatens millions of sites and applications

Security specialist Positive Technologies today announced that the company’s signature products—the MaxPatrol VM vulnerability management system, the PT Network Attack Discovery system for deep traffic analysis, and the PT Application Firewall — offer a strong line of defense against the critical zero-day vulnerability identified in the popular Apache Log4j log library used by millions of Java-based applications and services, enterprise software, cloud servers, and computer games. The vulnerability has generated extensive coverage, and attackers have been actively scanning networks for vulnerable systems and attacking honey pots since Dec. 10

The Apache Software Foundation Log4j library is one of the world’s most popular logging frameworks, and the vulnerability affects all versions of the library from 2.0-beta9 to 2.14.1. Dubbed Log4Shell, it allows attackers to remotely execute arbitrary code without authentication and obtain full control over vulnerable servers.

CVE-2021-44228 was assigned a maximum CVSS 3.0 severity level of 10. Log4Shell is easy to exploit: An attacker does not need technical skills to send a single line of code to the log via the application.

The Log4j library is included in most Apache network products, and is used in millions of corporate Java applications and web services to log error messages. According to the latest data, cloud servers from Amazon, Apple, Baidu, Cloudflare, DiDi, Google, JD.com, Microsoft, Minecraft, NetEase, Steam, Tencent, Tesla, Twitter, and VMware, as well as solutions from thousands of other software manufacturers, are affected by this vulnerability. In addition, the framework is actively used in various open-source projects, including Elasticsearch, Ghidra, and Red Hat.

Recent attempts to massively scan networks for systems vulnerable to Log4Shell have been widely acknowledged, particularly after the first PoC exploit was published on GitHub. Positive Technologies believes this vulnerability can be exploited in many ways; many large organizations around the world, including government installations, and much of the Internet are now under threat.

Positive Technologies products can help detect the threat: All three signature products detect Log4Shell vulnerability out-of-the-box, which means users do not need to download anything else. If the MaxPatrol VM knowledge base contains updates from December 10, 2021, vulnerable assets will be detected automatically.

PT Application Firewall (version 3.0) detects an attempt to exploit the vulnerability as an SSTI (server-side template injection) and blocks it, while version 4.0 additionally detects the vulnerability as a JNDI injection attempt.

A rule in PT Application Firewall detects template injection

The exploitation of Log4Shell can also be detected by PT NAD during network traffic analysis. For this, the Positive Technologies Expert Security Center added a special detection rule to the product.

A rule triggers in PT NAD after an attempt to exploit the vulnerability in Log4j library

Moreover, if the vulnerability has already been successfully exploited, MaxPatrol SIEM incident detection system can help detect further attacker actions, such as launching a reverse shell and attempting to gain a foothold or elevate privileges in the system.

PT ESC recommends that companies using vulnerable services check their infrastructure for abnormal activity and immediately update the Apache Log4j 2 Java Library to version 2.15.0-rc2 or higher. If security updates cannot be installed, a user needs to set (and check at startup) the true value for the Java log4j2.formatMsgNoLookups parameter.