Engineering Excellence with Moses: Sustaining Creativity and Innovation

Tag: vulnerabilities

  • Log4j 2.16.0 Fixes Critical Vulnerabilities: What You must know

    Apache Log4j 2.16.0 is now available

    Apache Log4j 2.16.0 Is Now Available – Critical Update Required

    A new follow-on vulnerability in Log4j has been discovered and fixed in version 2.16.0, addressing CVE-2021-44228 and CVE-2021-45046. If you’re still using version 2.15.0 or earlier, your applications may remain vulnerable in certain non-default configurations.

    This is is a follow on from my previous post: Log4J Zero-Day Exploit: Explained with Fixes.

    Here’s why this update is critical and what you need to do.

    TL;DR

    If you’re short on time, here’s the gist:

    • Upgrade your Log4j library to version 2.16.0 immediately.
    • The newer version completely removes the risky message lookup feature, which was the critical enabler of these exploits.
    • Visit the Apache Security Page for the latest updates

    Why Version 2.15.0 Isn’t Enough

    While version 2.15.0 addressed initial vulnerabilities, it left certain configurations exposed. Specifically, using the Thread Context value in the log message Pattern Layout could still allow exploitation. Version 2.16.0 eliminates this risk by fully removing the message lookup functionality.

    Misleading Fixes to Avoid

    Not all solutions floating around the community are effective. Avoid relying on the following:

    • Updating just the Java version.
    • Filtering vulnerabilities using Web Application Firewalls (WAF).
    • Modifying the log statement format to %m{nolookup}.

    These approaches won’t fully mitigate the vulnerabilities, so upgrading to version 2.16.0 is your safest bet.

    How to Stay Updated

    The Log4j exploit has drawn global attention, leading to a flood of information—some of which may be inaccurate. For reliable updates, stick to trusted sources:

    What’s Next?

    This is an evolving situation, and further updates may arise. Bookmark the Apache Security Page and regularly check for announcements to stay ahead of potential risks.

  • Log4J Zero-Day Exploit: Explained with Fixes

    Note: Check out my latest blog for updated information and solutions on this issue: Log4j 2.16.0 Fixes Critical Vulnerabilities: What You Need to Know

    The best evidence I have seen so far is that of a little bobby table LinkedIn exploit 🫣

    Overview: What Is the Log4J Zero-Day Exploit (CVE-2021-44228)?

    A critical zero-day exploit affecting the widely used Log4J library has been identified and fixed in version 2.15.0. This vulnerability (CVE-2021-44228) allows attackers to gain complete control of your server remotely—making it one of the most dangerous Java-based vulnerabilities to date.

    For details, visit the Apache Log4j Security Page. This isn’t just a Java developer’s headache—it’s a wake-up call for every engineer, security specialist, and even non-Java tech teams whose tools rely on Log4J indirectly (looking at you, Elasticsearch and Atlassian users).

    This post explains:

    1. How the exploit works.
    2. How to check if you’re affected.
    3. Step-by-step fixes to secure your applications.

    Quick Summary

    • Upgrade Log4J to version 2.15.0 or later immediately.
    • Workarounds exist for systems where upgrading isn’t feasible (see below).
    • Popular apps like Elasticsearch, Minecraft, and Jira are affected.

    Understanding the Exploit

    The vulnerability lies in log4j-core versions 2.0-beta9 to 2.14.1. When an application logs user inputs using Log4J, the exploit allows malicious actors to execute arbitrary code remotely. In practical terms, if your app takes user input and logs it, you’re at risk.

    Am I Affected?

    If your system runs Java and incorporates log4j-core, either directly or through dependencies, assume you’re affected. Use tools like Maven or Gradle to identify the versions in your project. Here’s how:

    For Gradle

    ./gradlew dependencies | grep "log4j"

    For Maven

    ./mvn dependency:tree | grep log4j

    Most Java applications log user inputs, making this a near-universal issue. Be proactive and investigate now.

    How to Fix the Log4J Vulnerability

    1. Upgrade Your Log4J Version

    The most reliable solution is upgrading to Log4J 2.15.0 or newer. Here’s how for common tools:

    Maven

    <properties>  <log4j2.version>2.15.0</log4j2.version> 
</properties>

    Then verify the fix with

    ./mvn dependency:list | grep log4j

    Gradle

    implementation(platform("org.apache.logging.log4j:log4j-bom:2.15.0"))

    Then confirm the version fix with

    ./gradlew dependencyInsight --dependency log4j-core

    2. Workarounds If Upgrading Isn’t Feasible

    For systems running Log4J 2.10 or later, use these temporary fixes:

    Add the system property

    Dlog4j2.formatMsgNoLookups=true

    Set the environment variable

    LOG4J_FORMAT_MSG_NO_LOOKUPS=true

    For JVM-based apps, modify the launch command

    java -Dlog4j2.formatMsgNoLookups=true -jar myapplication.jar

    Applications Known to Be Affected

    Even if you’re not directly using Log4J, many popular tools and libraries depend on it. Here’s a (non-exhaustive) list of systems at risk:

    • Libraries: Spring Boot, Struts
    • Applications: Elasticsearch, Kafka, Solr, Jira, Confluence, Logstash, Minecraft
    • Servers: Steam, Apple iCloud

    If you’re using any of these, check their documentation for specific patches or updates.

    Final Reminder: Why This Matters

    Apache has rated this vulnerability as critical. Exploiting it allows remote attackers to execute arbitrary code as the server user, potentially with root access. Worm-like attacks that propagate automatically are possible.

    To stay secure:

    1. Upgrade or apply workarounds immediately.
    2. Regularly monitor the Apache Log4j Security Page for updates.

    Additional Resources

  • Elasticsearch Ransomware: A Wake-Up Call for Admins

    Elasticsearch Ransomware: A Wake-Up Call for Admins

    By now, we’ve all seen this coming. With MongoDB falling victim to ransomware attacks, other NoSQL technologies like Elasticsearch were bound to follow. The alarming truth? Many Elasticsearch clusters are still open to the internet, vulnerable to attackers exploiting weak security practices, default configurations, and exposed ports.

    This guide covers essential steps to protect your Elasticsearch cluster from becoming the next target.

    TL;DR: Essential Security Measures

    1. Use X-Pack Security: If possible, implement Elastic’s built-in security features.
    2. Do Not Expose Your Cluster to the Internet: Keep your cluster isolated from public access.
    3. Avoid Default Configurations: Change default ports and settings to reduce predictability.
    4. Disable HTTP Access: If not required, disable HTTP access to limit attack vectors.
    5. Use a Firewall or Reverse Proxy: Implement security layers like Nginx, VPN, or firewalls (example Nginx config).
    6. Disable Scripts: Turn off scripting unless absolutely necessary.
    7. Regular Backups: Use tools like Curator to back up your data regularly.

    The Ransomware Playbook

    Ransomware attackers are targeting Elasticsearch clusters, wiping out data, and leaving ransom notes like this:

    “Send 0.2 BTC (bitcoin) to this wallet xxxxxxxxxxxxxx234235xxxxxx343xxxx if you want to recover your database! Send your service IP to this email after payment: xxxxxxx@xxxxxxx.org.”

    Their method is straightforward:

    • Target: Internet-facing clusters with poor configurations.
    • Exploit: Clusters with no authentication, default ports, and exposed HTTP.
    • Action: Wipe the cluster clean and demand payment.

    Why Are Clusters Vulnerable?

    Many Elasticsearch admins overlook basic security practices, leaving clusters open to the internet without authentication or firewall protection. Even clusters with security measures are often left with weak passwords, exposed ports, and unnecessary HTTP enabled.

    The lesson? Default settings are dangerous. Attackers are actively scanning for such vulnerabilities.

    How to Protect Your Elasticsearch Cluster

    1. Use Elastic’s X-Pack Security

    X-Pack, Elastic’s security plugin, provides out-of-the-box protection with features like:

    • User authentication and role-based access control (RBAC).
    • Encrypted communication.
    • Audit logging.

    If you’re using Elastic Cloud, these protections are enabled by default.

    2. Avoid Exposing Your Cluster to the Internet

    Isolate your cluster from public access:

    • Use private IPs or a Virtual Private Network (VPN).
    • Block all inbound traffic except trusted sources.

    3. Change Default Ports and Configurations

    Avoid predictability by changing Elasticsearch’s default port (9200) and disabling unnecessary features like HTTP if they aren’t required.

    4. Implement Firewalls and Reverse Proxies

    Add security layers between your cluster and potential attackers:

    • Use a reverse proxy like Nginx or Apache.
    • Configure firewall rules to allow only trusted IPs.

    5. Disable Scripting

    Unless absolutely necessary, disable Elasticsearch’s scripting capabilities to minimize attack surfaces. You can disable scripts in the elasticsearch.yml configuration file:

    script.allowed_types: none

    6. Regular Backups with Curator

    Data loss is inevitable without backups. Use tools like Elasticsearch Curator to regularly back up your data. Store snapshots in a secure, offsite location.

    Additional Resources

    Closing Thoughts

    Elasticsearch ransomware attacks are a stark reminder of the importance of proactive security measures. Whether you’re hosting your cluster on Elastic Cloud or self-managing it, adopting the security best practices outlined here will safeguard your data from malicious actors.

    Remember:

    • Change default configurations.
    • Isolate your cluster from the internet.
    • Regularly back up your data.

    If your Elasticsearch cluster is unprotected, the time to act is now—don’t wait until it’s too late.