A vulnerability in Apache Log4j, a widely used logging package for Java has been published on 10 December 2021. The vulnerability, which can allow an attacker to execute arbitrary code by sending specially crafted log messages contains LDAP URI. The vulnerability has been identified as CVE-2021-44228. Log4J is very popular and widely used library by many products and this is what makes the vulnerability highly critical.
|Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.|
How Does TRAPMINE Help to Mitigate the Exploit?
TRAPMINE blocks exploitation attempts related to this vulnerability on Windows devices. For example, in the below event, TRAPMINE blocks the powershell payload delivered by Log4j exploit.
TRAPMINE defaultly disallow Java.exe and Javaw.exe to create following child-processes in default Exploit Mitigation policy;
However you can define more restrictive policy until you patch all your Log4j applications.
How Does TRAPMINE Help to Find Vulnerable Applications in your organization?
Detection of vulnerable applications is easy with Trapmine Live Hunting feature. You can easily send “file search” queries to detect possible insecure log4j applications in your organizations. Here is an example query that I run for my machine and it helped me to discover that some of e-signing applications that I use in daily-life have very old version of Log4J module.