The Perfect 10 - Remote Code Execution in Apache Log4j Requiring Emergency Patching

13 Dec / 2021

Industry News

CVE: CVE-2021-44228

CVSS Score: 10 (Critical)
What Is Vulnerable?: Apache Log4j Version 2.15-rc1 or prior. (All version prior to 2.15-rc1 are vulnerable)

UPDATE 15/12: Latest 2.16 Patch fully disables JNDI and removes support for Message Lookups –

What’s Happening?

A few nights ago, Alibaba’s Security team found a zero-day remote code execution vulnerability within Apache’s Log4j. Log4j is so ubiquitous even Apple and Amazon use it with their software stack. New Zealand’s CERT team warned journalists that they have seen this vulnerability exploited in the wild and there are proof of concepts available to threat actors. Log4J earned the infamous CVSS score of 10 from the National Vulnerability Database.

A favourite amongst Java developers, Log4j is an easy way to log for error checking within any environment it can be deployed in. Log4j has an extra couple of steps before logs get written to disk. It analyses incoming logs and checks for a $ character. If this $ is found, the logger knows to go in and change information. There is one pattern that is vulnerable to remote code execution. $(jndl:ldap This will perform a lookup to the LDAP server and deploy the malicious code found.

What You Can Do

  • Apply a network wide block to incoming and outgoing connections to LDAP and RMI ports. a. Where possible, we also recommend blocking outgoing traffic from servers.
  • Assess what business critical applications may be vulnerable and apply emergency patching where available. It is important to note that since it’s still early days, this list is expected to grow. Keep an eye out for security advisories from vendors.
  • If Apache Log4j 2.10 to 2.14 is deployed in your environment, the following system property can be applied: Log4j2.formatMsgNoLookups=true
  • If Log4j 2.10 or earlier is deployed in your environment, jdnilookup can be removed: a. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Rapid7 have deployed new detection rules in InsightIDR to identify Log4j vulnerability potentially occurring:

  • Attacker Technique – Curl or Wget To Public IP Address With Non Standard Port
  • Attacker Technique – Curl Or WGet To External IP Reporting Server IP In URL
  • Suspicious Process – Curl or WGet Pipes Output to Shell
  • Suspicious Process – Curl to External IP Address

Cythera continues to monitor all managed clients and detection capabilities we have in place will likely detect any post-exploitation activities related to this vulnerability


You may be interested in

What is Malware?

What is Malware? Malware is a broad term that refers to variety of malicious software cyber criminals use including: Worms Once a worm infilt…

Read More arrow_forward

PaperCut Vulnerability - CVE-2023-27350, CVE-2023-27351

PaperCut MF & PaperCut NG VulnerabilitiesCVE: CVE-2023-27350, CVE-2023-27351 WHAT IS VULNERABLE? PaperCut MF or NG version 8.0 or later, on a…

Read More arrow_forward


FORTIGUARD FIREWALL HEAP-BASED BUFFER OVERFLOW VULNERABILITY CVE: CVE-2022-25610What is VulnerableFortiOS version 7.2.0 through 7.2.3FortiOS ve…

Read More arrow_forward