‘Vaccine’ For Apache Log4j Vulnerability Released Amidst Active Exploits

As the critical “Log4Shell” bug stirs up the internet, the cybersecurity community is rushing for fixes. Although Apache has patched the vulnerability with the latest Log4j release, researchers have also rolled out a vaccine for it.

Apache Log4j Bug Vaccine Is Out

Researchers from Cybereason have publicly released “Logout4Shell” – a vaccine for the critical Apache Log4j vulnerability.

As elaborated on GitHub, the researchers have developed a code to mitigate the Log4Shell bug.

Specifically, Log4Shell (CVE-2021-44228) is a critical remote code execution flaw that affects all Log4j versions before 2.15.0. Although updating Log4j to this version is the ultimate fix for all apps using this service, still, users may find it challenging to rush updates.

For such users, disabling the vulnerable settings in old Log4j versions may help mitigate the risk. However, since it might be tricky, Logout4Shell facilitates this process. As stated,

In Log4j version (>=2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are set to “false”, mitigating this risk.
However, enabling these system property requires access to the vulnerable servers as well as a restart.

The tool needs to exploit the bug first to go with the process (hence, a ‘vaccine’). But it uses it for a defensive purpose to prevent any malicious exploitation.

For developing Logout4Shell, the researchers have taken help from the PoC exploit of tangxiaofeng7. Regarding how it works, the researchers state,

On versions (>= 2.10.0) of log4j that support the configuration FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS, this value is set to True disabling the lookup mechanism entirely. On older versions, the payload searches all existing LoggerContexts and removes the jndi key from the Interpolator used to process ${} fields.

Users can download it from GitHub, where the researchers have also explained how to use it. Once executed, the tool will prevent further exploitation of Log4Shell, giving users more time for the patches.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs