Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library.
p0rz9 revealed that the CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option is set to false.
The Log4j is widely used by both enterprise apps and cloud services, including Apple iCloud and Steam.
A remote, unauthenticated attacker can exploit the CVE-2021-44228 to execute arbitrary code on a vulnerable system leading to a complete system takeover.
The vulnerability was discovered by researchers from Alibaba Cloud’s security team that notified the Apache Foundation on November 24. According to the experts, the vulnerability is easy to exploit and does not require special configuration, for this reason, it received a CVSSv3 score of 10/10. Researchers pointed out that Apache Struts2, Apache Solr, Apache Druid, Apache Flink are all affected by this vulnerability.
Now researchers from cybersecurity firm Cybereason have released a script that works as a “vaccine”(dubbed Logout4Shell) that allows remotely mitigating the Log4Shell vulnerability by turning off the “trustURLCodebase” setting in vulnerable instances of the library.
“While the best mitigation against this vulnerability is to patch log4j to 2.15.0 and above, in Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk. However, enabling these system property requires access to the vulnerable servers as well as a restart.” reads the GitHub Page set up for the Log4Shell project.
Cyberreson experts pointed out that enabling these system property requires access to the vulnerable servers, and the servers have to be restarted.
(SecurityAffairs – hacking, Logout4Shell)