Summary of Log4j Vulnerability
On December 9, 2021, security researchers identified a remote code execution (RCE) vulnerability in the Java logging library “Log4j” that is already being exploited in the wild. Motorola Solutions strongly recommends that customers update vulnerable systems to the latest version (2.16.0) of Apache Log4j. The vulnerability (CVE-2021-44228), which has also been given the name “Log4Shell,” affects any server running Java and using the Log4j library for logging.
Most Java applications use this open-source logging utility, which makes it critical for all organizations to take this threat seriously. By submitting the RCE request, attackers can exploit Log4Shell to instruct vulnerable systems to download and execute malicious payloads.
Technical Breakdown of Log4j
Java applications use Log4j to log strings sent by a user. The exploit allows an adversary to send the server any string containing malicious parameters. If the string is logged, the server will execute the code hosted at the address listed.
The exploit works because Log4j parses the formatted string and initiates a request through the Java Naming and Directory Interface. When making the request, it sends a download request to the attacker controlled domain, which then downloads and deserializes the .class file in an insecure manner. The remote Java class file requested is injected into the server process and allows arbitrary code execution.
Since Java classes can have static initializers that will run whenever the class is compiled and referenced, this can result in remote arbitrary code execution from a string. Here’s an illustration of Zero-Day Exploit Targeting Popular Java Library Log4j:
How Can I Check to See If I’m Vulnerable?
For owners and operators of Motorola Solutions systems, please consult with your Motorola Solutions representative for guidance.
If your environment uses the Log4j library in any capacity, you’re at risk of attackers targeting this vulnerability. Depending on your environment, you’ll need to quickly identify which systems are using the Log4j library. Since many different applications use this program, this can be a daunting task. There are several log4j checker scripts available. These are not an all-in-one solution, but are a good start.
Multiple vendors have created tools you can run on your network to scan and detect any systems that currently have vulnerable versions of Log4j. If you’re using Carbon Black, you’re able to search the CVE [CVE-2021-44228] within the Alert page and see any systems that are running vulnerable versions of Log4j.
External resource links are available below for more information.
Can the Motorola Solutions ActiveEye Security Platform Detect Activity Related to the Log4j Vulnerability?
Our ActiveEye security platform optimizes and scales Managed Detection and Response (MDR) capabilities across multiple third-party security applications from cloud to endpoint. This centralized platform allows our Security Operations Center (SOC) analysts to quickly analyze threats and alerts across multiple environments.
Thanks to ActiveEye’s capabilities, we’re able to take advantage of various rules and watchlists created by Carbon Black, Cortex XDR and Crowdstrike to identify activity related to Log4j in your environment. In addition to these rules and watchlists, ActiveEye has its own set of rules to surface and/or emphasize activity related to [CVE-2021-44228] to the SOC analysts, whether that’s known indicators of compromise (IOCs) or behavioral activity which may be a result of the exploitation of CVE-2021-44228. The ActiveEye Network Sensor has updated detection capabilities to identify exploitation attempts and network connections to known payload delivery domains.
Mitigating the Impact of Log4j
Motorola Solutions has provided customers with mitigation guidance for any of our products that may have been impacted by Log4j. For Motorola Solutions products such as ASTRO P25, it’s important that you follow the technical bulletins specific to them to avoid any disruption to these products. Please direct questions to your local account management team member before taking any actions.
A patch is already available for Log4j. To prevent exploitation of the vulnerability, we strongly recommend that you update to the latest version of Log4j [version 2.16.0] as soon as possible. If you’re unable to update to the latest version, you can try to mitigate the issue by setting the system property “log4j2.formatMshNoLookups” to “true”, and/or removing the JndiLookup class from the classpath. If you’re using a Cloudflare Web Application Firewall (WAF), three recently deployed rules can help mitigate exploit attempts:
The rules are split to inspect HTTP headers, body and the URL.
Beyond the previously mentioned mitigations, various security vendors have provided steps to search and identify Log4Shell activity on your network. We’ve provided links below to external resources for each vendor’s recommendations.
The combination of good security hygiene, along with using advanced detection and response tools such as VMware® Carbon Black, Crowdstrike and Cortex XDR, is critical to protecting your organization. Safeguarding our customers is of the utmost importance to Motorola Solutions, and we will continue to keep you informed as further information becomes available. Contact us today if you have any questions or need assistance mitigating this critical vulnerability.
Tools to search for Log4j library on systems:
- Linux Environments Guidance for Detecting Log4j Exploitation
- Windows Environments Guidance for Preventing, Detecting and Hunting for Log4j Exploitation
Tools for scanning environments for Log4j:
- GitHub: Find Vulnerable Log4j2 Versions on Disk and Java Archive Files
- GitHub: Fully Automated, Accurate, Extensive Scanner for Finding Log4j
Endpoint Detection and Response (EDR) vendor recommendations: