Security experts in an organization usually underestimate the presence of unauthorized cloud infrastructure …
A remote code execution vulnerability has been recently discovered in the popular Java logging framework Log4j affecting versions 2.0-beta9 to 2.14.1, and also some versions of log4j 1.*.
The vulnerability has been officially disclosed as CVE-2021-44228 but also got some more popular names as log4Shell or log4jShell.
As one of the most popular logging frameworks, Log4j has been used in the majority of Java projects. It is important that we quickly assess which projects actually include the vulnerable log4j library, and thus are also vulnerable. Since hackers are currently actively exploiting, we need to be fast to discover and patch all affected systems.
This may sound simpler than expected initially, but we frequently do not have access to the source code. This can have many reasons, for instance, the software includes a third-party library for which we don’t know if it is affected or we have some legacy software Java systems running, which we can’t easily update.
How to check if you are affected – even if you don’t have access to the source code?
To check if your jar file is affected by the critical CVE-2021-44228, we provide an open-source command line tool https://github.com/CodeShield-Security/Log4JShell-Bytecode-Detector. The tool scans the jar file and compares the classses against a set of pre-computed hashes of the vulnerable Log4j classes. Since our tool only uses the hash and fingerprints of bytecode classes, no source code needs to be available.
The hashes have been pre-computed for artifacts on Maven Central.
Note: The set of pre-computed artifacts may not yet be complete, we will update it continuously. Stay tuned.
Which artifacts other then log4j-core are actually affected?
We have been working on the topic of Java vulnerability detection for several years now and we are currently applying our technology to further detect more instances of the vulnerability in the wild.
Maven Central is one of the largest repositories for Java artifacts, and basically any Java program sources its third-party dependency from there. When installing a dependency, a jar file will be downloaded and included into your software.
The question arises which artifacts are actually affected by the log4jShell vulnerability?
This is not a simple question to answer, as source code repositories are not always linked and even if so, the packaging step of a typical Java build may just pack all dependencies into a single jar, a so-called fatjar. Once the vulnerability is part of the jar, the software is affected.
With our “Fingerprinting” research technology, that we also applied to detect a security vulnerability within the German Corona-Warn App, we are able to answer this question.
Additional Background and references for CVE-2021-4428
A remote code execution vulnerability has been discovered in log4j versions 2.0-beta9 to 2.14. With an injection attack, an attacker can spawn an own shell and freely access the affected system. There are many references and article out there explaining the details