In this post will discuss about log4j vulnerability windows server fix.Log4j Vulnerability is the weakness existing in apache web server ,there is a small software java based utility called log4j. It is being used to record the activity logs of the apache web server.
The vulnerability enables an unauthenticated attacker to gain complete control for a target system through remote code execution. This can occur any time a specially crafted string is parsed and processed by a vulnerable Log4j2 component.
An attacker can execute malicious code remotely on a computer using Remote Code Execution (RCE).RCE vulnerabilities can result in malware being executed as well as an attacker gaining full control of a compromised machine.
Recent reports suggest that a zero-day exploit has been found against the Apache log4J2 library, via which the attacker can remotely execute code. This vulnerability was reported under CVE-2021-44228 and CVE-2021-45046 against log4j-core.
log4j 2.0-2.14 There is a Vulnerability existing. using exploit the Vulnerability attacker can gain the access of the webserver. CVSS score for this vulnerability is 10, which is the highest possible score.
scenario about log4j vulnerability windows server fix
If you deploy any website in your organization, that website need to access outside users over the internet. Set-up a server either it can be windows or linux on the server we installed web application that hosted a website.
That website you need to access an outside user over the internet, in fact outside cannot access your web application directly, there must be a mediator which can take the request from the external user’s to your web browser and send the request to the web application and get the data and send the data to the end user’s.
Here the mediator called WEBSERVER, here we should deploy a web server so that the webserver will take http or https requests from the end user. you need to integrate the web server to the application server. so the request will receive the web server and pass to the web application.
The webserver called as apache web server. In apache web server there is small application inside it that called as log4j. Apache provides a logging library provided by Log4j that is able to log in Java. Log4j is a wonderful log-based API available for both Java and .net framework.
It is a fast, reliable, and flexible logging framework written in Java. it has ability to categorize logs at various levels, such as Trace, Debug, Info, Warn, Error, and Fatal is included with the application.
Basically, attacker will send malicious http/https formatted string to the apache webserver, that string will be taken by log4j software. Log4j has a feature called Java Naming and Directory Interface (JNDI), which consists of an API (Application Programming Interface) and a SPI (Service Provider Interface). JNDI has an inbuilt lookup feature, it can look up any file outside.
It used to transfer the data between the application and server, also Lookups provide a way to add values to the log4j configuration at arbitrary places.
So once log4j software picks up, then using JNDI lookup it will download any malicious software from the attacker server.
When an attacker runs malicious string initial log4j will not verify the input and send it to JNDI lookup. JNDI lookup can be done using protocol LDAP/RMI.
The JNDI features used in configurations, log messages, parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints, the attacker who can control log messages, parameters can execute the code loaded from LDAP servers when message lookup substitution is enabled.
Disabling message lookup is a mitigation method:
Login to Windows machine click on This PC select the properties and select Advanced System Settings, select Environment Variables you can see System Variables click on NEW.
Variable name : LOG4J_FORMAT_MSG_NO_LOOKUPS
Variable value : true
Reboot the server once the changes have been made. Since this is a critical issue, we need to identify all vulnerable versions of log4j that require Workarounds, or at least set up monitoring until the vendor releases the patch.
conclusion:
It is essential for businesses to invest heavily in both incident response and security analytics in order to avoid becoming compromised.
log4j vulnerability windows server fix mitigation/workaround has been explained in this post.