Rewterz Threat Alert – Emotet changes its Tactic to Deploy Cobalt Strike directly – Active IOCs
December 10, 2021Rewterz Threat Alert – Log4J Vulnerability – Active IOCs In The Region
December 12, 2021Rewterz Threat Alert – Emotet changes its Tactic to Deploy Cobalt Strike directly – Active IOCs
December 10, 2021Rewterz Threat Alert – Log4J Vulnerability – Active IOCs In The Region
December 12, 2021Severity
High
Analysis Summary
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser. Security guide of Apache suggests that Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Controlled log messages or log messages by the attacker can be executed for arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.
CVE-2021-44228
Apache could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Java logging library. By sending a specially-crafted string value, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Remote code execution
Affected Vendors
Apache
Affected Products
- Apache log4j versions between version 2.0 and 2.14.1
- Apache Struts
- Apache Solr
- Apache Druid
- Apache Flink
- ElasticSearch
- Flume
- Apache Dubbo
- Logstash
- Kafka
- Spring-Boot-starter-log4j2
Indicators of Compromise
IP
45[.]137[.]21[.]9
62[.]76[.]41[.]46
45[.]130[.]229[.]168
171[.]25[.]193[.]20
20[.]71[.]156[.]146
45[.]155[.]205[.]233
MD5
- 6d275af23910c5a31b2d9684bbb9c6f3
SHA-256
- 8052f5cc4dfa9a8b4f67280a746acbc099319b9391e3b495a27d08fb5f08db81
SHA-1
- 777c54e96d29a0ed6ddf9698c86afb74322c130f
Remediation
Disable suspicious outbound traffic, such as LDAP and RMI on the server in firewall.
Disable JNDI lookup.
Remove the JndiLookup file in the log4j-core and restart the service.
Setup spring.jndi.ignore=true
Users are advised to update to Log4J version v2.15.0 which can found here:
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
Cisco affected products list:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
Redhat affected products list:
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
Vmware affected products list:
https://www.vmware.com/security/advisories/VMSA-2021-0028.html