Requiem for a Vuln:

What we learned from Log4Shell and what comes next

Brian Markham // March 10, 2022

Requiem for a Vuln: What we leaned from Log4Shell and what
comes next © 2022 by Brian Markham is licensed under CC BY-NC-
SA 4.0. 
To view a copy of this license, visit http://creativecommons.org/
licenses/by-nc-sa/4.0/

bmarkham-01-MBP:~ bmarkham$ whoami

Brian Markham
Present: CISO @ EAB
Past: PwC, KPMG, University of Maryland, George Washington University

Agenda

• Timeline

• What is Log4Shell/Log4j

• How is it exploited?

• What did we learn?

• Preventing the next Log4Shell

4
“The Log4j vulnerability is the most serious
vulnerability that I’ve seen in my decades
long career.”

Jen Easterly, Director of Cybersecurity and Infrastructure Security Agency (CISA)

5 Source: https://www.cnbc.com/video/2021/12/16/cisa-director-says-the-log4j-security- aw-is-the-most-serious-shes-seen-in-her-career.html

fl
 6
Source: https://www.secureworld.io/industry-news/funny-log4j-tweets-memes
Why is this a big deal?

• Gives a remote attacker privileged access to the vulnerable host

• Remote Code Execution (RCE) is ALWAYS BAD

• Ubiquity of java applications and Log4j

• Many organizations didn’t know if they had it

• iCloud, Minecraft, Steam all impacted

• Exploit is easy to execute

7 Source: https://www.lunasec.io/docs/blog/log4j-zero-day/
Timeline
Best. Weekend. Ever.

• CVE-2021-44228, known as Log4Shell, was discovered by Chen Zhaojun of

the Ali Baba Cloud Security Team on November 24, 2021.

• Apache patched the vulnerable version of Log4j on December 6, 2021.

• The vulnerability was publicly disclosed on December 9, 2021.

• CVSS score of 10 (the highest available score)

• Log4j (the vulnerable component) is present in many commercial services,

including AWS, iCloud, Minecraft, and Steam. Wiz and EY estimate that 93%
of enterprise cloud environments were impacted by this vulnerability.

8 Source: https://blog.wiz.io/10-days-later-enterprises-halfway-through-patching-log4shell/
Timeline
But wait there’s more!

• What’s more fun than one Log4j vulnerability? Three Log4j vulnerabilities:

• CVE-2021-45046 (9.0 CVSS) 12/14/21

• CVE-2021-45105 (5.9 CVSS) 12/18/21

• Unrelated, on 12/28/21, CVE-2021-44832 was reported (6.6 CVSS)

• Resulted in multiple sprints to upgrade to the latest version of Log4j

9 Source: nist.gov
Internet scanning

10 Source: https://www.greynoise.io/blog/log4j-vulnerability-analysis-next-steps
We’re no strangers to vulns

• Heartbleed (CVE-2014-0160):

• Vulnerability in OpenSSL, vulnerable server could leak secrets stored in memory

• No evidence in logs that the vulnerability was exploited

• Eternal Blue (CVE-2017-0144):

• Exploit developed by NSA to exploit a weakness in SMB v1

• WannaCry and NotPetya malware used the Eternal Blue exploit to attack
vulnerable servers
Log4j background

• Log4j is a logging package for Java, log for j(ava)

• Log4j’s roots go back 25 years ( rst o cial release in 1999); Log4j 1.x went
end of life in August 2015.

• Log4j sat at version 2.14.1 for most of 2021, 2.15 released on December 6,
2021 to address the vulnerability

• 2.17.1 is the current release (as of 1/24/2022)

• It’s a de facto standard for application logging

Sources: https://logging.apache.org/log4j/2.x/changes-report.html

12 https://logging.apache.org/log4j/2.x/manual/index.html
fi
ffi
How the vulnerability works

• A vulnerable web app or service that is using Log4j (target)

• A directory service (target)

• A listener (attacker side)

• Exploit string (attacker side)

13
Abusing JNDI

• Java Naming and Directory Interface (JNDI)

• API that provides name and directory functionality to applications written in Java

• Will work with past, present, and future directory standards, including LDAP

• Typical uses for JNDI:

• Connecting a Java application to an external directory service (such as an

address database or an LDAP server)

• Allowing a Java Servlet to look up con guration information provided by the

hosting web container

14 Source: https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface
fi
Live Demo!! 🙏

15
Attack chain

${jndi:ldap://localhost:1389/a}
Vulnerable
site

16
Compensating measures

• Web app rewall (WAF)

• Input validation

• Indicators of Compromise (IOCs)

• Software composition analysis (SCA)

• Software Bill of Materials (SBOM)

17
fi
Compensating controls

• A web app rewall will identify the exploit string as an attack

18
fi
 Input validation

“Input validation is performed to ensure only properly formed data is entering

the work ow in an information system, preventing malformed data from
persisting in the database and triggering malfunction of various downstream
components.”

• In our demo, the attacker should not have been able to enter the attack string
in the username eld. That value in that format would never be a valid
username.

• E ective input validation will help to mitigate entire classes of attacks,

including XSS and SQLi.

19 Source: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
ff
fl
fi
IOCs

“An Indicator of Compromise (IOC) is a piece of digital forensics that suggests

that an endpoint or network may have been breached. Just as with physical
evidence, these digital clues help information security professionals identify
malicious activity or security threats, such as data breaches, insider threats or
malware attacks.”

• An IOC helps the organization recognize an attack that has taken place.

• Examples: a hash value, IP address, command and control (C2) domain

20 Source: https://www.crowdstrike.com/cybersecurity-101/indicators-of-compromise/
21
Source: https://www.greynoise.io/blog/apache-log4j-vulnerability-CVE-2021-44228
Software Composition Analysis

• Software composition analysis (SCA) is a valuable capability for any

organization that provides Internet-facing web services using open source
components.

• Reports the components of software (speci cally a project or repository), the

version, and license information.

• Not free or cheap.

22
fi
23
“By understanding and contextualizing 1st and 3rd party
SBOMs, organizations can be positioned to rapidly
determine whether or not they are impacted by zero
and highly significant critical vulnerabilities like Log4J.
In absence of this, organizations are left relying often on
manual inspection and deep disruption to their teams.”
Dan Walsh, Traxiom CEO

24
25
 What is a SBOM?

• SBOM = Software Bill of Materials

• “A list of ingredients that make up software components.”

• Analogous to a BOM, which has been a well-established concept in

manufacturing

• “If defects are found in a speci c part, the BOM makes it easy to locate the
a ected products.”

26 Source: https://www.ntia.gov/SBOM
https://github.com/awesomeSBOM/awesome-sbom
ff
fi
SBOM Specifications

• CycloneDX (Cyclone Data Exchange)

• Supported by OWASP

• https://cyclonedx.org/

• SPDX (Software Package Data Exchange)

• Supported by The Linux Foundation

• SWID (Software Identi cation)

• SBOMs can be exported in several formats

27
fi
SBOM Tools

• Free CLI tool from The Linux

Foundation

• Will produce a SBOM using the

Software Package Data Exchange
(SPDX) standard

• Supports many popular package

managers, such as Maven, .Net, and
Gems

28 Source: https://github.com/opensbom-generator/spdx-sbom-generator
Other SBOM tools
Not endorsed or recommended, just sharing

• Adolus

• Sonatype (also o ers a free tool)

• Traxiom

• Veracode

29
ff
Evaluating 3rd party service providers

• A SBOM is an e ective way to understand the impact of a major vulnerability

like Log4Shell on 3rd party service providers.

• A 3rd party can export a SBOM and share it with customers.

ff
Questions to ask

• How did we learn about Log4Shell? How long did it take to learn about it
determine if we were impacted by it?

• Do we have the right controls in place to detect and prevent successful exploit
attempts even if we cannot immediately upgrade to non-vulnerable versions of
system software?

• If I wanted to know all the various software components in my environment or

in major applications, how would I do this? How long would it take me?

• What do we (as an organization) learn from this vulnerability and will we be

ready for next one?

31
Summary

• Log4Shell is a member of a small, exclusive group of vulnerabilities that are

memorable due to their severity and scale.

• The lessons we’ve learned from Log4Shell mirror those that we learned from
Heartbleed in 2014 and Eternal Blue in 2017.

• New tools and tactics are available to us:

• A software bill of materials (SBOM)

• SCA scanning is more mainstream than in the past

• New vulnerabilities of this severity will happen again. Next time, will we be ready?

32
Thank you!!
[email protected] // @maru37