Most security practitioners are now aware of the Log4Shell vulnerability discovered toward the end of 2021. No one knows how long the vulnerability existed before it was discovered. The past couple of months have had security teams scrambling to patch the Log4Shell vulnerability found in Apache Log4j, a Java library widely used to log error messages in applications. Beyond patching, it’s helpful and instructive for security practitioners to have a deeper understanding of this most recent critical vulnerability.
Fortunately, Cynet Senior Security Researcher Igor Lahav is hosting a webinar [Register here] to provide “buzzword free” insights into Log4Shell. Based on a webinar preview provided by Cynet, the discussion will cover the software bugs in Apache Log4j that permitted the critical vulnerability, the exploits used to take advantage of the vulnerabilities and the remediation options available to protect your organization. This webinar will help make sense of the sometimes overly technical analysis of Log4Shell we’ve been subject to over the past couple of months.
— What is Log4j?
Before you can really grasp the magnitude of the Log4Shell vulnerability, it’s necessary to understand the underlying technology. The Cynet webinar steps through what the Log4j library is and how it’s used in Java. It also explains a feature used by the logging system called Java Naming Directory Interface (JDNI) and how it is used by log4j to help understand the vulnerability.
— The Vulnerabilities
The root cause of this vulnerability is the way Log4j processes log messages, and the webinar clearly steps through the software bugs that made the Log4j logging mechanism vulnerable to attackers. This includes a description of how JNDI injection works and why it can lead to issues as well as what remote Log4j configuration is and how attackers can leverage it to gain access.
— The Exploits
Exactly how do attackers take advantage of the Log4j vulnerabilities? Cynet shares the step-by-step attacks they’ve seen in the wild, which indicate a high level of attacker expertise. They demonstrate how attackers bypass static detections, how they achieve remote code execution by bypassing two common checking functions (allowedLdapClasses and allowedLdapHosts).
— The Mitigations
Finally, Cynet steps through the mitigation actions companies should take, including locating vulnerable applications, patching options, important configuration changes and patching 3rd party applications. You will also learn about the Cynet Log4Shell exploit detections in Windows and Linux.
Cynet will also share discoveries from several recent incident response investigations, such as active exploitations of the Log4Shell vulnerability on VMware Horizon Servers by different threat actors who deployed Cobalt Strike beacons, Cryptominers, and fileless reverse shells. While you may have read other reports or attended other webinars covering Log4Shell, this one pulls it all together and steps through the vulnerability, exploits, recommended remediations and latest incidents simply and clearly.
images from Hacker News