Just in time for the holidays, a significant vulnerability was identified in Apache's Java-based logging library, Log4J. This vulnerability was disclosed on 12/10/2021 and is known as Log4Shell. The flaw exposes some of the world's most popular applications and services to attack. It impacts AWS, Microsoft, Cisco, Google Cloud, and any platforms using software that utilizes the Log4j library.
Like Solarwinds, this weakness is at the core of the technology stack. Unlike Solarwinds, which tended to affect primarily large platform customers, this zero-day will impact even the smallest organizations dependent upon the webserver logging library.
ProCircular IR Engineer, Joey Marinello, gave a flash briefing on the topic, including steps to implement mitigating controls and detect whether you've been affected by this sophisticated and targeted attack. Be sure to download this briefing and take a look at the vulnerability resources below:
Updating list of software platforms known to be vulnerable to Log4Shell: https://github.com/NCSC-NL/log4shell/tree/main/software
Community-sourced list of IP addresses seen attempting to exploit Log4Shell: https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
Log4Shell Proof-of-Concept code: https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
List of known vulnerable Log4j .jar files: https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes/blob/main/md5sum.txt
Script to test potentially vulnerable endpoints: https://github.com/fullhunt/log4j-scan
Script to analyze log files for Log4Shell exploitation attempts: https://github.com/Neo23x0/log4shell-detector
Log4Shell Vulnerability Overview and Analysis: https://www.randori.com/blog/cve-2021-44228/
Huntress Log4Shell Vulnerability Tester: https://log4shell.huntress.com/
Inside the Log4j2 vulnerability (CVE-2021-44228): https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/