December 15, 2021: This post has been updated to provide query new examples that take into account a second Log4j vulnerability disclosed. A running list of related software regarding the Log4j vulnerability can be found here: https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
On December 9, 2021, a high severity vulnerability was found in the popular Java logging library, Apache Log4j 2, an open source Java package used by many widely-used applications, including those from Apple, Cloudflare, and Twitter, as well as Elasticsearch and Minecraft. If exploited, the vulnerability, dubbed Log4Shell and assigned CVE-2021-44228, could lead to malicious remote code execution. According to MITRE, the vulnerability affects versions 2.0 - 2.14.1. Log4Shell could allow an attacker to access the library (appearing as the legitimate user), execute arbitrary code, and serve up a malicious payload such as malware, redirection, or ransomware.
Although the vulnerability exists in Java-based apps, Log4j is also a dependency for many common standalone services used for enterprise applications and cloud services. According to Adrian Sanabria, Founder of Security Weekly Labs, “I honestly can't remember seeing a Java/J2EE app that didn't use Log4j. The exposure of this vulnerability is basically anything that takes user-supplied input and logs it anywhere that uses versions prior to 2.15.”
In short, the opportunity for Log4Shell to blow up is huge. Any Java-based web application (built on the Log4j library) is potentially susceptible, any network appliances dependent on Java could also be affected, and, according to LunaSec, “Anybody using Apache Struts is likely vulnerable.” If you’re suddenly having flashbacks to September 2017 and the Equifax breach, we wouldn’t blame you. The potential impact of an exploit could be global.
The most immediate and effective mitigation for Log4Shell is upgrading to patched versions of Log4j 2.
But first enterprises will need to know if they’re impacted.
Tracking Log4j 2 With Axonius
Security and IT teams can use the Axonius Query Wizard to find the existence of Log4j in their environment by searching for Log4j as installed software, or by identifying the specific CVE provided that a recent vulnerability scan has been performed across the environment.
Tracking Log4j Installations
The query below returns any device with Log4j libraries installed. Results for instances of Log4j versions earlier than 2.16.0 should be acted on quickly as they are vulnerable and being actively exploited. Note: this query will return devices in which log4j is a software component as revealed by the software name. It will not detect situations where log4j is buried in a JAR file or library.
("specific_data.data.installed_software" == match([("name" == regex("Log4j", "i"))]))
Importantly, version 2.15 was just released by Apache on December 6, 2021 and version 2.16 was released on December 14, 2021, so most enterprises won’t have updated yet. In other words, most enterprises will still be using version 2.0 - 2.15 — the vulnerable versions.
Identifying devices by the specific Log4j vulnerability
If you’ve performed a vulnerability scan following the disclosure of this vulnerability, a simple Axonius query for CVE-2021-44228 or CVE-2021-45046 can identify any device that’s running vulnerable log4j. Note: for many large companies, it is often unrealistic to scan the entire infrastructure this quickly after a zero-day vulnerability. Nonetheless, this query can be saved and run continuously to alert you to vulnerable devices any time they appear.
("specific_data.data.software_cves.cve_id" == "CVE-2021-44228") or ("specific_data.data.software_cves.cve_id" == "CVE-2021-45046")
Tracking down related applications that may contain Log4j
Identifying related applications that may contain Log4j is also recommended. The query below returns any device running applications that may be affected. Note: some of these applications may not use Log4j by default, but it’s possible they are configured to use it. A running list of related applications that may be impacted can be found here: https://github.com/NCSC-NL/log4shell/blob/main/software/README.md
("specific_data.data.installed_software.name" == regex("Apache", "i")) or ("specific_data.data.installed_software.name" == regex("Elastic", "i")) or ("specific_data.data.installed_software.name" == regex("Ghidra", "i")) or ("specific_data.data.installed_software.name" == regex("Grails", "i")) or ("specific_data.data.installed_software.name" == regex("Minecraft", "i")) or ("specific_data.data.installed_software.name" == regex("Dropwizard", "i")) or ("specific_data.data.installed_software.name" == regex("Hibernate", "i")) or ("specific_data.data.installed_software.name" == regex("JavaServer Faces", "i")) or ("specific_data.data.installed_software.name" == regex("Oracle ATG Web Commerce", "i")) or ("specific_data.data.installed_software.name" == regex("Spring Framework", "i"))
Setting Alerts
Any of the example queries shown above can be used as a trigger to automatically take action. For instance, Axonius users can create an incident in the Enforcement Center and alert asset owners so they can take immediate action to patch and to watch for suspicious activity.
Dedicated Log4j Dashboard
The same queries can also be turned into dashboards for easy tracking and reporting purposes.
Note: customers will soon receive packaged queries and dashboards to import into Axonius to track Log4Shell and related risks.