CVE-2021-44228 - Log4j RCE

Critical RCE Vulnerability: log4j - CVE-2021-44228 On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified being exploited in the wild. Public proof of concept (PoC) code was released and subsequent investigation revealed that exploitation was incredibly easy to perform. On Dec. 14 2021, another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45046. On Dec 18 2021, yet another vulnerability was discovered related the log4j 0-day exploit known as CVE-2021-45105 that allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3. On Dec 28 2021, another RCE vulnerability was published for Apache Log4j2, versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4). In order to exploit this vulnerability, an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. **Affected Version** Apache Log4j 2.x <= 2.17.0 This playbook should be triggered manually or can be configured as a job. Please create a new incident and choose the **CVE-2021-44228 - Log4j RCE** playbook and **Rapid Breach Response** incident type. **The playbook includes the following tasks:** * Collect related known indicators from several sources. * Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. *Search for possible vulnerable servers using Xpanse and Prisma Cloud. * Block indicators automatically or manually. **Mitigations:** * Apache official CVE-2021-44228 patch. * Unit42 recommended mitigations. * Detection Rules. * Snort * Suricata * Sigma * Yara * Zeek Intel More information: [Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)](https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2021-44228 - Log4j RCE · 82 tasks · 12 inputs · 0 outputs

Inputs

  • SplunkIndex — The Splunk index field to search in. Default is "*"
  • SplunkSourcetype — The Splunk sourcetype field to search in. Default is "*"
  • SplunkEarliestTime — The earliest time for Splunk query.
  • SplunkLatestTime — The latest time for the Splunk search query.
  • XDRScriptExecution — Whether to investigate automatically the endpoint logs "/var/log" using XDR Endpoint Script Execution or manually.
  • XDREndpointIDs — The Endpoint IDs to search using XDR Endpoint Script Execution in a comma delimited format. If you would like the playbook to execute the command on all known Linux OS endpoints Set to "ALL".
  • PlaybookDescription — The playbook description for Rapid Breach Response layout.
  • CollectedIndicatorsSeverity — The verdict of the collected indicators. Default is "Malicious". Other options can be "Suspicious" and "Unknown".
  • RunXQLHuntingQueries — Whether to perform XQL hunting queries. Default is "False".
  • RelatedCVEs — The log4j related CVEs.
  • QRadarTimeRange — The time range for QRadar query.
  • BlockIndicatorsAutomatically — Whether to block the indicators automatically or not.

Commands used

associateIndicatorsToIncident closeInvestigation createNewIndicator expanse-get-issues extractIndicators prisma-cloud-config-search redlock-get-rql-response splunk-search xdr-get-endpoints xdr-script-commands-execute xdr-xql-generic-query

Flowchart

Yes Yes yes ALL Specific yes No Yes no yes yes no yes yes yes yes yes yes Start Start Collect Indicators Collect Indicators Collect indicators from GreyNoise - ParseHTMLIndicators Collect indicators from G... ParseHTMLIndicators Download Suricata Rules - http Download Suricata Rules http Download Snort Rules - http Download Snort Rules http Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Tag and Link Indicators Tag and Link Indicators Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident SIEM Hunting SIEM Hunting Palo Alto Networks Hunting Palo Alto Networks Hunting Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 SIEM Advanced Hunting SIEM Advanced Hunting Is Splunk Enabled? Is Splunk Enabled? Threat Hunting Threat Hunting Is QRadar Enabled? Is QRadar Enabled? Build QRadar AQL Query - QRadarCreateAQLQuery Build QRadar AQL Query QRadarCreateAQLQuery Search for exploitation patterns - splunk-search Search for exploitation p... splunk-search Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Panorama Query Logs for Related Session - Panorama Query Logs Panorama Query Logs for R... Panorama Query Logs Remediation Remediation Should search using XDR Endpoint Script Execution? Should search using XDR E... Should run on all known Linux OS endpoints? Should run on all known L... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Hunt Using Cortex XDR Hunt Using Cortex XDR Block indicators automatically? Block indicators automati... Block indicators manually Block indicators manually Mitigation Mitigation Install log4j patched versions Install log4j patched ver... Disable JNDI and JNDI lookup Disable JNDI and JNDI lookup Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Unit42 Recommended Mitigations Unit42 Recommended Mitiga... PANW - Disable suspicious outbound traffic PANW - Disable suspicious... Patch Vulnerability Patch Vulnerability Deploy Detection Rules Deploy Detection Rules Snort Rules Snort Rules Suricata Rules Suricata Rules Tag IP indicators - createNewIndicator Tag IP indicators createNewIndicator Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Download Yara Rules - http Download Yara Rules http Download Sigma Rules - http Download Sigma Rules http Sigma Rules Sigma Rules Yara Rules Yara Rules Collect Detection Rules Collect Detection Rules Check if Cortex XDR - IR is Enabled - IsIntegrationAvailable Check if Cortex XDR - IR ... IsIntegrationAvailable Retrieve All Endpoint IDs - xdr-get-endpoints Retrieve All Endpoint IDs xdr-get-endpoints Retrieve specified endpoint IDs - xdr-get-endpoints Retrieve specified endpoi... xdr-get-endpoints Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Should run XQL hunting queries? Should run XQL hunting qu... Search for process names "java" interacted with "log4j" - xdr-xql-generic-query Search for process names ... xdr-xql-generic-query Detecting a files that matches the SHA256 hash of the Log4j vulnerable versions. - xdr-xql-generic-query Detecting a files that ma... xdr-xql-generic-query Detecting Potentially Malicious Activity Attributed with the Log4j Exploitation - xdr-xql-generic-query Detecting Potentially Mal... xdr-xql-generic-query Check if Cortex XDR - XQL Query Engine is Enabled - IsIntegrationAvailable Check if Cortex XDR - XQL... IsIntegrationAvailable Hunting for Log4Shell in Your Network Hunting for Log4Shell in ... Hunting for Log4Shell in Your Cloud Environment Hunting for Log4Shell in ... Hunt additional exploitation attempts within cloud audit logs - xdr-xql-generic-query Hunt additional exploitat... xdr-xql-generic-query Hunt for successful exploitations by looking at EDR, Firewall and flow logs - xdr-xql-generic-query Hunt for successful explo... xdr-xql-generic-query Creation of a list of the rare Java process - xdr-xql-generic-query Creation of a list of the... xdr-xql-generic-query Hunt Linux OS Hunt Linux OS Xpanse Xpanse Is Xpanse enabled? Is Xpanse enabled? Search for possible vulnerable servers using Xpanse - expanse-get-issues Search for possible vulne... expanse-get-issues Review possible vulnerable servers Review possible vulnerabl... Prisma Cloud Prisma Cloud Is Prisma Cloud enabled? Is Prisma Cloud enabled? Search for possible vulnerable servers using Prisma Cloud - redlock-get-rql-response Search for possible vulne... redlock-get-rql-response Review possible vulnerable servers Review possible vulnerabl... Found servers using Xpanse? Found servers using Xpanse? Found servers using Prisma Cloud? Found servers using Prism... Download Zeek Intel Feed - http Download Zeek Intel Feed http Zeek Intel File Zeek Intel File Execute Command - xdr-script-commands-execute Execute Command xdr-script-commands-execute Execute Command - xdr-script-commands-execute Execute Command xdr-script-commands-execute Search for Prisma Cloud Vulnerable Servers - prisma-cloud-config-search Search for Prisma Cloud V... prisma-cloud-config-search Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2