HP Threat Research Blog CVE-2021-44228: “Yes, Virginia, There Are Such Things as Zero-Days”

December 14, 2021 Category: Uncategorized By: Jonathan Gohstand Comments: 0

CVE-2021-44228: “Yes, Virginia, There Are Such Things as Zero-Days”

One of Santa’s (evil) helpers delivered a nasty early Christmas present on 9 December: a zero-day. The “Log4J” vulnerability was discovered by an Alibaba threat researcher and lies in a widely used open-source library. Read on for the gory details!

Versions 2 to 2.14.1 of the Apache Log4j library are vulnerable to a format string attack allowing an attacker to run arbitrary code on the system running the application. The reason why this vulnerability is worthy of its critical 10 CVSS3 score is down to two factors: opportunity and impact. Log4j is one of the most popular Java logging libraries, used in a plethora of enterprise applications, web services and open-source frameworks. Therefore, the number of potential targets a threat actor can exploit is high.

Unfortunately, the vulnerability is also trivial to exploit. An unauthenticated attacker simply needs to input a string containing a malicious Java Naming and Directory Interface (JNDI) reference into a vulnerable application that they know will be evaluated as a command by Log4j. At its heart, the vulnerability abuses a feature of JNDI that allows Log4j to run remotely hosted Java classes. In the hours following the vulnerability’s disclosure, attackers began abusing this look-up feature, delivering backdoors and crypto-currency miners to vulnerable servers.

What can Virginia (and her friends in security) learn from this? Mainly that zero-days do exist, and that they most definitely can and will be exploited to deliver unpleasant presents (ransomware anyone?) to any organization big or small. Rather than rely on traditional detection-based technologies to stop ever evolving threats, defences are needed that are flexible in the sense that they protect without detection. That is, they isolate processes so that even if they turn out to be compromised, they are unable to execute their kill chain. This is the underlying concept behind the micro-virtualization in Sure Click Enterprise, Wolf Pro Security, and Sure Access Enterprise. It’s the gift that keeps on giving, so maybe it should be at the top of your holiday wish list!

P.S. For those too young to know the backstory of the title (admittedly it is over 100 years old), check here.

About the Author

Jonathan Gohstand
Director of Technical Marketing

Recent Posts