Log4Shell was a critical vulnerability rated 10 on the Common Vulnerability Scoring System (CVSS) in the popular open source logging utility Log4j. Relatively easy to exploit, the flaw enabled remote code execution (RCE), and was found in a huge range of proprietary and open source applications.
Some experts have predicted that it could be exploited by threat actors for years, as organizations struggle to find and patch vulnerable versions hidden in open source dependencies. However, a new report from VulnCheck, released on Monday, 18, implies that these fears were and remain exaggerated. “The reality was that, at the time, very few products using vulnerable Log4j libraries were remotely exploitable for code execution,” the report notes.
“Many security companies have made a big deal out of the more than 300 million downloads of vulnerable Log4j libraries over the past two years. The idea is that many projects are vulnerable because they use the vulnerable library. But that’s not true,” says the VulnCheck report.
The reality is that there is a small set of truly exploitable software, and only a subset of these products have been linked to exploitation (See below the list of products exploitable using Log4Shell). VulnCheck currently associates the Log4Shell exploit with 40 advanced persistent threats (APTs), ransomware groups, or botnets, but only four of the products on the list below are associated with these attacks: MobileIron, Ubiquiti UniFi Controller, VMware Horizon, and VMware vCenter.
While there may be tens of thousands of open source projects that rely on vulnerable Log4j libraries, they are unlikely to be targeted because exploitation is complicated. “Log4Shell is a two-stage attack. The first triggers a connection to a command and control server [C&C] when a string controlled by the attacker is recorded by the victim’s software. Almost all of the exploits we indexed in VulnCheck XDB stopped here,” says the cybersecurity company.
However, according to the company, it is important to realize that completing the first stage does not achieve code execution. “To execute the code [o segundo estágio], the server controlled by the attacker must provide new code for the victim to execute. This is not a trivial task in Java and requires the use of dependencies and serialized gadgets that may not work against the victim software,” the report says.
In short, each targeted product is vulnerable to a different set of Java gadgets, and some will not be vulnerable to any, the company claims. This leaves a relatively small footprint of products that are remotely exploitable with relative ease in attacks.
According to VulnCheck, as of the 7th of this month, there were only 125,000 hosts hosting software potentially vulnerable to Log4Shell, and 94% of them are now patched. “This leaves only 7,000 potentially vulnerable hosts. With an emphasis on the potential because some of the software has undetectable versions [Apache James 3+, OFBiz e Struts2]”, emphasizes the study.
“Additionally, Apache Solr typically, but not always, has authentication enabled, making it a poor initial access target. It is also difficult to identify the number of remaining hosts that are honeypots, but we assume it is a measurable quantity,” the report concludes.
The “most” products remotely exploitable using Log4Shell are listed below, not including Minecraft:
- Apache Druid
- Apache James
- Apache JSPWiki
- Apache OFbiz
- Apache Skywalking
- Apache Solr
- Apache Struts2
- Ivanti MobileIron
- ManageEngine ADManager
- Ubiquiti UniFi Controller
- VMware Horizon
- VMware vCenter
Sources: CisoAdvisor, VuInCheck
