Alert java/exploit cve 2021-44228

[Saifuddinit 1]

We Are facing issue on new Security Vulnerability can you please check, its already showing in one our client machine and it is blocked but can you confirm it is secure or it secure from eset and we are waiting your reply

 

[itman 1,659]

FYI: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

You need to apply the latest Apache server patch update as noted here: https://www.bleepingcomputer.com/news/security/log4j-2171-out-now-fixes-new-remote-code-execution-bug/

It appears that an external source is trying to exploit this vulnerability via a Chrome connection from the client device.

Edited January 1, 2022 by itman

[Saifuddinit 1]

Hi Imran But here we are not using any apache server this just from Chrome its blocked from Eset so there any have to from my end in client laptop or no need

[Marcos 5,070]

Also note that the attacks will continue even after patching vulnerabilities, you can't prevent that without filtering the communication on a firewall before the server. However, even if you didn't install the appropriate security update, ESET has blocked the communication so you would be safe. Of course, that doesn't mean you could hesitate with installation of security updates, not at all.

Anyways, it would be of interest to see details of the attack, ie the source and target IP addresses and ports.

[Saifuddinit 1]

Thank admin for update so now what we can do now to prevent this type of attack and right now we need to anything in client laptop like windows update  Eset update l

[Marcos 5,070]

2 minutes ago, Saifuddinit said:

Thank admin for update so now what we can do now to prevent this type of attack and right now we need to anything in client laptop like windows update  Eset update l

If you don't have Apache installed, it was most likely a non-targeted attack when the attacker was just trying to attack the machine in the hope that Apache might be installed.

[itman 1,659]

12 minutes ago, Saifuddinit said:

Hi Imran But here we are not using any apache server

It is not just Apache server that is vulnerable. Here is a comprehensive list of software affected: https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md

[Saifuddinit 1]

Imran I got you mean to say below link whatever software is there need to update security patch right ??

Edited January 1, 2022 by Saifuddinit

[Saifuddinit 1]

Hi Imran

Sorry I got you mean below link show like which software affected

[itman 1,659]

11 minutes ago, Saifuddinit said:

Imran I got you mean to say below link whatever software is there need to update security patch right ??

Not sure I understand you fully.

If a software vendor product is affected; the vendor has patch for this vulnerability;, and you have this affected software installed somewhere in your installation; then the patch should be installed ASAP.

[Saifuddinit 1]

Hi ItMan

I got the what you say but I saw the user laptop its didn't find any software which is infected i can see eset log its show action blocked

[itman 1,659]

1 hour ago, Saifuddinit said:

Hi ItMan

I got the what you say but I saw the user laptop its didn't find any software which is infected i can see eset log its show action blocked

My current situation understanding of this Java based vulnerability is it is the most active exploit attempt.

Assume that the user of the device where Eset detected the vulnerability via Chrome landed on a malicious or infected web site that attempted to exploit this vulnerability. This could have been done via numerous methods. It appears to me that the attacker found some software installed on your network installation that is vulnerable and tried to exploit it. Luckily, Eset detected the exploit attempt and blocked it.

Note that there are currently multiple exploits detected in regards to this Java vulnerability; CVE-2021-44228 is just one of them.

Also, make sure all your Chrome installations are using the latest version: https://www.cvedetails.com/cve/CVE-2021-30599/

Finally, CISA has developed an app that will scan your network for apps vulnerable to CVE-2021-44228: https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-scanner-to-find-vulnerable-apps/

Edited January 1, 2022 by itman

[Saifuddinit 1]

Hi ItMan

I have seen below link i have checked all software in client laptop and there is  not impact anything so what cause this happen

[itman 1,659]

17 minutes ago, Saifuddinit said:

Hi ItMan

I have seen below link i have checked all software in client laptop and there is  not impact anything so what cause this happen

You have to check all your network devices; client and server devices, for vulnerable software. Not just the laptop where the Eset alert generated.

[Marcos 5,070]

Please provide logs collected with ESET Log Collector which will show the IP address that the attack attempt originated from.

[itman 1,659]

Here's a specific example of how attackers are exploiting this vulnerability. Hence, the need to scan all installation devices for vulnerable apps and apply vendor supplied patches:

Quote

The attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch threat actor payloads hosted on a remote server.

https://thehackernews.com/2021/12/chinese-apt-hackers-used-log4shell.html

Edited January 2, 2022 by itman