What Is Log4Shell and How to Protect Your Linux System Against It

What Is Log4shell And How To Protect Your Linux System Against It Featured Image

The Log4Shell (CVE-2021-44228) vulnerability is described by many cybersecurity researchers and experts to be the most critical zero-day vulnerability of all time. It affects a widely-used Java utility by the name of Log4j, which has been around since 2001 for logging and communicating events, such as routine system operations and software errors. Here we show you how to protect your Linux system against it.

How Does the Log4Shell Vulnerability Work?

On a fundamental level, the vulnerability is caused by improper input validation. This happens when software doesn’t properly validate the data it receives, leading to possible vulnerabilities, since incorrectly validated input can be used to make the program perform actions it’s not supposed to.

Log4Shell specifically takes advantage of requests Log4j sends to servers, utilizing LDAP and JNDI. By taking advantage of these requests, an attacker can execute code on any vulnerable system, which can lead to a malicious actor taking complete control of the system and having the ability to install ransomware or steal data.

What Does Log4Shell Affect?

Since Java is an extremely popular programming language, a lot of software written in Java that uses Log4j for its logging functionality is affected by this vulnerability. Some of the most well-known and commonly-used software affected by this vulnerability include Apache and the video game called Minecraft.

How to Know Which Software Are Affected?

Log4Shell, like any other cybersecurity vulnerability, is mitigated by patching the software affected by it. However, the case of Log4Shell is a bit more unique, since it affects such a wide range of software, and it can be difficult to keep a list of what is affected and what isn’t.

Luckily, the National Cyber Security Center of The Netherlands has published a comprehensive list on GitHub, which includes names of software developed by different organizations, that informs whether they are vulnerable to Log4Shell.

How to Scan Your Apache Server for the Vulnerability

Since this vulnerability has greatly affected the cybersecurity and software communities, it is no surprise that there are tools available for administrators to scan their servers for the vulnerability.

One such scanner is Log4j-RCE-Scanner, which allows you to scan for remote command execution vulnerability on Apache Log4j at multiple addresses.

Installing Log4j-RCE-Scanner

Before we start, we need to install its dependencies, httpx and curl.

Curl can be easily installed on Ubuntu and Debian-based systems using the apt command:

sudo apt install curl
curl dependency installation

The same can be done on Arch Linux using the pacman command:

sudo pacman -Sy curl

And on CentOS and Fedora installations using the yum command:

sudo yum install curl

Installing httpx can be done with the following commands:

git clone https://github.com/projectdiscovery/httpx
cd httpx/cmd/httpx && go build .
sudo mv httpx /usr/local/bin/
httpx dependency git clone

After installing all of the necessary dependencies, clone the Log4J-RCE-Scanner repository:

git clone https://github.com/adilsoybali/Log4j-RCE-Scanner
bash apache log4j rce scanner git clone

Access the newly created directory:

cd Log4j-RCE-Scanner/

Finally, add the necessary executable permissions for the Bash script:

chmod +x log4j-rce-scanner.sh
bash apache log4j rce scanner chmod

Using Log4j-RCE-Scanner

After you have installed the scanner, you can finally get to the fun part of actually using it.

Read the script’s help section by typing:

bash log4j-rce-scanner.sh -h
bash apache log4j rce scanner help

Now, you can scan your Apache server for the Log4shell vulnerability.

bash log4j-rce-scanner.sh -d [domain] -b [Burp collaborator]

You can specify your domain and Burp Collaborator using the -d and -b flags. If your domain is vulnerable, DNS callbacks with the vulnerable domain name are sent to the Burp Collaborator.

Alternatively, the -l flag can also be used to specify a list of domains.

bash apache log4j scanner test scan

Installing and Using a Python-Based Scanner

If you prefer to use a Python script instead, you can use the log4-scanner, which is developed by the Cybersecurity and Infrastructure Security Agency of the United States.

To install it:

git clone https://github.com/cisagov/log4j-scanner/

Access the directory:

cd log4j-scanner/log4-scanner/

You can install the required dependencies using the Python-based pip3 command:

pip3 install -r requirements.txt
python log4j rce scanner git clone

You can view the “help” provided by the script using the -h flag:

python3 log4j-scan.py -h
python apache log4j rce scanner help

Scanning a single URL is simple and can be done using the -u flag:

python3 log4j-scan.py -u example.com
python apache log4j rce scanner single scan

You can also scan a list of URLs by using the -l flag:

python3 log4j-scan.py -l list.txt
python apache log4j rce scanner list scan

How to Patch Apache

To combat this vulnerability, it is extremely important to keep your Apache configuration up to date.

Checking the version of Apache can be done in many ways: by checking from your administration panel, such as CPanel, or WebHost Manager. You can also check the version by running the httpd command with the -v flag:

httpd -v

Apache can be updated to the latest, most secure version using the apt command on Debian and Ubuntu systems:

sudo apt update && sudo apt upgrade apache2

The same result is also accomplished using the yum command on CentOS:

sudo yum install httpd

Frequently Asked Questions

1. Which versions of Log4j are affected by the vulnerability?

Versions below are vulnerable to the exploit. Version 2.15.0 fixed the most easily exploitable elements, with 2.17.1 fixing a difficult-to-exploit remote code execution vulnerability.

2. Do I need the Burp Collaborator utility to receive DNS callbacks with vulnerable domain names?

According to the developer of the Bash-based scanner, Burp Collaborator is used alongside the script itself to receive the DNS callbacks with vulnerable domain names. Alternatively, an Interact.sh address can be used.

3. Do I need other dependencies to use the Bash-based scanner?

For basic usage, you only need to have httpx and Curl installed on your system as dependencies. However, for unlocking some functionality, you will also need Subfinder, Assetfinder, and Amass to be installed.

Severi Turusenaho

Technical Writer - Linux & Cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox