The explosive power of Apache Log4j2 vulnerabilities

On December 10, 2021, the National Information Security Vulnerability Sharing Platform (CNVD) included the Apache Log4j2 remote code execution vulnerability, numbered CVE-2021-44228.

[Vulnerability description]
Apache Log4j2 is an open source Java logging tool. This tool rewrites the Log4j framework and introduces a large number of rich features. It can control the destination of log information delivery to consoles, files, GUI components, etc. It is very popular at home and abroad. widely.

In the early morning of December 10, the Apache open source project Apache Log4j 2 was exposed to a remote code execution vulnerability. It has a JNDI injection vulnerability. Attackers use this vulnerability to execute arbitrary code on the target server by constructing malicious requests, causing the server to be controlled by the attacker. As a result, behaviors such as page tampering and data theft are extremely harmful, and almost all industries are affected by this vulnerability.

[Verification Level]
CNVD's comprehensive rating is "High Risk"

【Scope of influence】
Java products: Apache Log4j 2.x <2.15.0-rc2

[Repair suggestion]
At present, the vulnerability POC has been disclosed, and the official version has been released. If the system uses the Java development language, it is necessary to confirm whether to use the Apache Log4j 2 plug-in as soon as possible, and upgrade to the latest version as soon as possible.

time point:
On December 7, 2021, Apache officially released log4j-2.15.0-rc1
On December 10, 2021, Apache officially released log4j-2.15.0-rc2
On December 11, 2021, Apache officially released log4j-2.15.0 (same as log4j-2.15.0-rc2)
On December 13, 2021, Apache officially released log4j-2.16.0-rc1

address: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

Ant section safety RASP emergency hemostasis program

[RASP detailed analysis]
Ant Aspect Security RASP naturally has the ability to protect against Log4j vulnerabilities, because RASP hooks key functions within the application and only focuses on execution. As long as the application deployed with RASP can not rely on the outside world, it has self-protection capabilities, that is: RASP itself is against attacks. The attacker has the ability to intercept files such as reading/modifying files in sensitive paths, sending out links, etc., and the attacker cannot cause too many high-risk and destructive attacks on the application.

Ant aspect security RASP still takes emergency measures against Log4j vulnerabilities at a high-dimensional level, which are divided into three stages:
Phase 1: When there is no attack on the poc, none of the guess-based schemes uses

1. Start with network-related injection points, and intercept by checking whether log4j-related stacks are included. Disadvantages: Regular network requests will pass through this injection point, and stack matching needs to be obtained, which has a very large performance impact.
2. From JNDI's key low-level methods, intercept it by checking whether it contains log4j-related stacks. Disadvantages: The stack matching needs to be obtained, which affects the ability of the application to use JNDI normally, and has a certain performance impact.

Phase 2: After getting the poc, quickly formulate and verify the hemostatic strategy, and determine the RASP to participate in the war
Since JNDI exists in the form of a plug-in for log4j, it has a unified execution entry. From the stack diagram, it can be seen that RASP can intercept processing from several places. Among them, "InitialContext.java:417" is the native bottom method. The disadvantages have been mentioned above. So the available points are "JndiManager.java:85" and "JndiManager.java:61". The injection point "JndiManager.java:85" was introduced after 2.1.x, and the injection point "JndiManager.java:85" can cover all 2.x versions. However, in order to avoid bypassing execution through other vulnerabilities, both injection points were finally introduced. The interception including the use of jndi when obtaining the jdbc connection address was also intercepted, because this case is triggered by log4j2 configuration rather than external input.

Disadvantages: none

advantage:

1. Since there is no need to match any parameters, there is no need to worry about performance issues;
2. Only the parsed content will be triggered if JNDI is used. There is no need to worry about various variant payloads, and there is no confrontation cost;
3. It is only for the scenario where log4j2 itself uses JNDI, and does not affect the ability of the application to use JNDI normally.

Phase 3: RASP deployment online + hemostatic strategy released, continuing to this day
The ant safety team began to deploy and release the hemostatic strategy in batches in an emergency according to the degree of harm.

• Day 1: The high-risk application of active outreach is completed in the gray-scale pre-flight environment hemostasis.
• Day 2: 93% of the high-risk applications of active outreach completed hemostasis online.

[RASP emergency hemostasis effect]

• After getting the poc, the defense strategy is completed and the verification is successful 20 minutes.
• Complete the compatibility test of all versions of log4j 2.x including the corresponding sec version within 2 hours.
• Complete hemostasis for high-risk applications and grayscale environments within 24 hours, and verify in a small range in the production environment.
• Finished hemostasis in 93% of high-risk production environments within 48 hours.

[Advantages of RASP Emergency Hemostasis]
advantage 1: data-based vulnerabilities are rare in the industry, resulting in limited application scope of WAF. Once the attacker crosses the boundary and moves laterally within the company's technical system, it is impossible to control it. Therefore, using the aspect security RASP technology to block and intercept from the inside is more accurate and effective.

Advantage 2: compared to traditional security products, the official version of the repair mode, RASP has:

• There is no need to wait for the official plan, as long as the details of the exploit are clear, the RASP can start to take effect.
• Using the cross-section RASP to participate in the battle to stop bleeding has enabled the R&D engineers to avoid emergency jumps in a short period of time. RASP will not disrupt the R&D upgrade rhythm while fighting for a two-week buffer time, which improves the happiness of R&D engineers.
• RASP adapts to various environments without having to consider the compatibility issues of upgraded versions.

advantage 3: The ant security team has exported a special tool for the Log4j vulnerability, minirasp, for emergency use by ecological partners and some internal non-standard technology stack applications. The customized minirasp effect exceeds expectations. It has played a key role in the massive data processing tasks job and massive UDF that cannot be covered by the standard RASP, and can stop the pain of this Log4j vulnerability.

Ant section safety RASP provides vaccine-level protection for application runtime safety

The current network security situation is becoming more and more severe. Traditional border defense products based on traffic detection are easily bypassed, and security products based on rule base updates are even less time-sensitive. Such hindsight security products can no longer satisfy the security market. need.

In 2012, Gartner first proposed a new type of web protection technology-RASP (Runtime Application self-Protection). Different from traditional security products, RASP is a new type of security technology based on behavioral and contextual semantic analysis. It hooks key functions within the application, focuses only on execution actions, and detects/blocks unknowns without updating the policy or upgrading the application code. Vulnerability, RASP is injected into the application entity like a vaccine, allowing the application to have self-protection capabilities without relying on the outside world.

In one sentence: The application loaded with RASP has natural protection against Log4j2 vulnerabilities. In addition, all actions such as remote command execution, file directory listing, arbitrary file upload, and sensitive file download caused by JNDI injection can be intercepted.

In addition, Ant RASP also supports detection/interception of memory horse attacks, deserialization vulnerabilities, command injection, arbitrary file upload, remote execution of commands, etc., covering all the security risk categories of web applications in the 2021 version of OWASP TOP 10. Ant RASP provides function-level real-time protection for enterprise applications, with strong heuristic detection capabilities, second-level interception, emergency hemostasis, and improved safety. It is especially suitable for Internet applications that use a large number of open source components or applications developed by third-party integrators.