Active Scan: Log4j Vulnerable to RCE

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Overview

Supported Log4j vulnerability scanners inject obfuscated JNDI lookups in HTTP parameters, URLs, and text fields with callbacks to domains controlled by the scanners. This finding is generated when DNS queries for the unobfuscated domains are found. Such queries only occur if a JNDI lookup was successful, indicating an active Log4j vulnerability.

Event Threat Detection is the source of this finding.

How to respond

To respond to this finding, do the following:

Step 1: Review finding details

1. Open an Active Scan: Log4j Vulnerable to RCE finding, as directed in Reviewing finding details. The details panel for the finding opens to the Summary tab.

2. On the Summary tab, review the information in the following sections:

   • What was detected
   • Affected resource, especially the following field:
     • Resource full name: the full resource name of the Compute Engine instance that is vulnerable to the Log4j RCE.
   • Related links, especially the following fields:
     • Cloud Logging URI: link to Logging entries.
     • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
     • Related findings: links to any related findings.

3. In the detail view of the finding, click the JSON tab.

4. In the JSON, note the following fields.

   • properties
     • scannerDomain: the domain used by the scanner as part of the JNDI lookup. This tells you which scanner identified the vulnerability.
     • sourceIp: the IP address used to make the DNS query
     • vpcName: the name of the network on the instance where the DNS query was made.

Step 2: Check logs

1. In the Google Cloud console, go to Logs Explorer by clicking the link in the Cloud Logging URI field from step 1.

2. On the page that loads, check the httpRequest fields for string tokens like ${jndi:ldap:// that may indicate possible exploitation attempts.

   See CVE-2021-44228: Detecting Log4Shell exploit in the Logging documentation for example strings to search for and for an example query.

Step 3: Research attack and response methods

1. Review the MITRE ATT&CK framework entry for this finding type: Exploitation of Remote Services.
2. Review related findings by clicking the link on the Related findings on the Related findings row in the Summary tab of the finding details. Related findings are the same finding type and the same instance and network.
3. To develop a response plan, combine your investigation results with MITRE research.

Step 4: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

• Upgrade to the latest version of Log4j.
• Follow Google Cloud's recommendations for investigating and responding to the "Apache Log4j" vulnerability.
• Implement the recommended mitigation techniques in Apache Log4j Security Vulnerabilities.
• If you use Google Cloud Armor, deploy the cve-canary rule into a new or existing Cloud Armor security policy. For more information, see Google Cloud Armor WAF rule to help mitigate Apache Log4j vulnerability.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.