CrowdStrike shares in-depth research for the zero-day LOG4J exploit attacks

Widespread Log4j Remote Code Execution Vulnerability Could Affect Millions —

Log4j2 Zero Day Vulnerability Update | CrowdCast | CrowdStrike

CrowdStrike on Thursday presented advice for organizations attempting to address a security vulnerability in the Log4j Java logging framework used in Apache Web servers, currently undergoing widespread exploitation.  The advice came via a Log4j2 Zero-Day Vulnerability Update online session, presented by Adam Meyers, senior vice president of intelligence at CrowdStrike. In general, organizations should install the latest version of Log4j, if possible, which is version 2.16.0.

Attack and Patch TimelineMany organizations are subject to ongoing attacks leveraging this Log4j vulnerability, dubbed “Log4Shell.” A list of affected apps compiled by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) can be found in this GitHub post.

In the CrowdStrike online session, Meyers offered the following chronology, crediting Alibaba with first discovering the Log4j flaw:

    • Nov. 24, an Alibaba researcher notified the Apache Software Foundation of a remote code execution vulnerability in Log4j.
    • Nov. 29, the vulnerability called “Log4Shell” (CVE-2021-44228), gets a patch with the release of Log4j version 2.15.0-RC1, but it’s not a complete fix.
    • Dec. 5, Log4j 2.15.0-RC2 is released, which restricted protocols previously allowed, but it also still enables attacks using so-called “gadget chain” code within Log4j.
    • Dec. 9, a proof-of-concept exploit gets circulated on the Internet, picked up by “a lot of different threat actors.”
    • Dec. 13, Log4j version 2.16.0 was released, which “removed some of the logging functionality and also disabled the Java Naming Directory (JNDI) … and this seems to fix the problem.”