As the critical “Log4Shell” bug stirs up the internet, the cybersecurity community is rushing for fixes. Although Apache has patched the vulnerability with the latest Log4j release, researchers have also rolled out a vaccine for it.
Apache Log4j Bug Vaccine Is Out
Researchers from Cybereason have publicly released “Logout4Shell” – a vaccine for the critical Apache Log4j vulnerability.
As elaborated on GitHub, the researchers have developed a code to mitigate the Log4Shell bug.
Specifically, Log4Shell (CVE-2021-44228) is a critical remote code execution flaw that affects all Log4j versions before 2.15.0. Although updating Log4j to this version is the ultimate fix for all apps using this service, still, users may find it challenging to rush updates.
For such users, disabling the vulnerable settings in old Log4j versions may help mitigate the risk. However, since it might be tricky, Logout4Shell facilitates this process. As stated,
In Log4j version (>=2.10) this behavior can be mitigated by setting system property
trueor by removing the JndiLookup class from the classpath. Additionally, if the server has Java runtimes >= 8u121, then by default, the settings
com.sun.jndi.cosnaming.object.trustURLCodebaseare set to “false”, mitigating this risk.
However, enabling these system property requires access to the vulnerable servers as well as a restart.
The tool needs to exploit the bug first to go with the process (hence, a ‘vaccine’). But it uses it for a defensive purpose to prevent any malicious exploitation.
For developing Logout4Shell, the researchers have taken help from the PoC exploit of tangxiaofeng7. Regarding how it works, the researchers state,
On versions (>= 2.10.0) of log4j that support the configuration
FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS, this value is set to
Truedisabling the lookup mechanism entirely. On older versions, the payload searches all existing LoggerContexts and removes the jndi key from the
Interpolatorused to process
Users can download it from GitHub, where the researchers have also explained how to use it. Once executed, the tool will prevent further exploitation of Log4Shell, giving users more time for the patches.
Last modified: December 15, 2021