Data Theorem Analyzer Engine Discovers Unique Mutation of Log4Shell to Help Research Teams Detect APIs and Servers Vulnerable to Attack
Data Theorem, Inc., a leading provider of modern application security, today announced it has uncovering specific scenarios that can help IT teams discover the Log4Shell vulnerability exploit and stop it from causing harm to their applications, following research conducted using its API Analyzer Engine. The widely publicized vulnerability is a potential threat to millions of applications and devices across the globe. Data Theorem has published its finding on a unique mutation of Log4Shell discovery and exploitation called “Stored Log4Shell.”
Log4Shell is a software vulnerability in Apache Log4j 2, a popular Java library for logging error messages in applications. The vulnerability, published as CVE-2021-44228, enables a remote attacker to take control of a device on the internet if the device is running certain versions of Log4j 2. Since Dec. 10, days after industry experts discovered a critical vulnerability known as Log4Shell in servers supporting the game Minecraft, bad actors have made millions of exploit attempts of the Log4j 2 Java library.
During the Data Theorem team analysis, researchers noticed the Log4j callback connection for LDAP requests sent to Data Theorem’s exploit listening service took anywhere from a few seconds, which is the norm, to several hours. It is during the LDAP request that an application proves vulnerable to Log4Shell, so the longer the duration the higher the risk. Data Theorem’s team further investigated why it would take so long for the request, and uncovered the following scenario:
- A web application receiving Data Theorem’s Log4Shell payload was not vulnerable. It logged the payload (for example as part of the User-Agent header) to a file, but it did not use a vulnerable version of the Log4j library to do so. As a result, the exploit was not triggered.
- Later, a separate application processed the log files generated by the initial web application. This follow-on application uses a vulnerable version of the Log4j library and logged some data extracted from the initial application’s logs. This is when the exploit was triggered, and explains why it would happen hours after the initial request.
Data Theorem dubbed this as a “Stored Log4Shell” issue, where the payload was stored to a file, and at a later stage reached a vulnerable application which then gets exploited. As a result of this analysis, Data Theorem recommends organizations remain patient with their discovery methods of vulnerable systems and have longer lasting listening services to find secondary systems.
During the analysis, an example of this took place with S3 buckets that have S3 Access or CloudTrail enabled for logging HTTP requests sent to the bucket. In one of the environments scanned, a Java application was configured to process a bucket’s access logs every few hours. This Java application was using a vulnerable version of the Log4j library, and was logging specific content extracted from the bucket’s logs, thereby triggering the exploit much later than the original request for discovery. Overall, this highlights how this vulnerability is mutating in unexpected ways and expands the illusive nature of Log4Shell discovery, because applications that are not directly accessible to an attacker from the Internet can still get compromised via a “stored” Log4Shell.
“Data Theorem helps organizations solve some of their most complex application and cloud security challenges, and this discovery demonstrates the value of Data Theorem’s Analyzer Engine,” said Alban Diquet, Data Theorem Head of Engineering. “Data Theorem has been diligent helping customers not only remediate this Log4Shell vulnerability but also pushing our own automation in order to continuously discover the long-tail of this challenging exploit.”
Data Theorem’s award-winning Analyzer Engine continuously discovers vulnerabilities in multi-cloud and on-premise environments while providing critical alerts, observability, and active protection capabilities. The API security solution continuously scans mobile and web applications, APIs, and cloud resources in search of security flaws and data privacy gaps; enumerates the specification using standards such as Swagger and Open API 3.0; and supports AWS, Google Cloud, and Microsoft Azure platforms.
Data Theorem’s broad AppSec portfolio protects organizations from data breaches with application security testing and protection for modern web frameworks, API-driven microservices and cloud resources. Its solutions are powered by its award-winning Analyzer Engine, which leverages a new type of dynamic and run-time analysis that is fully integrated into the CI/CD process, and enables organizations to conduct continuous, automated security inspection and remediation.