How to avoid Log4j vulnerability in your Magento

rafaelcg

Rafael Corrêa Gomes

Posted on December 16, 2021

How to avoid Log4j vulnerability in your Magento

Learn what Log4j is, how to verify it and how to avoid this attack on your Adobe Commerce and Magento OpenSource. Before start going deep into it, these are the next emergency steps to avoid this issue.

Add a custom VCL rule in your Fastly or Varnish.
Upgrade your ElasticSearch to the new version (Dec 13, 2021).
Run the audit tool mentioned in this article.

What’s Log4j?

It’s a Java framework used by developers to keep records of activity within an application. Although, the hacker has been using it to exploit the flaw is strategically sends a malicious code string that eventually gets logged by Log4j version 2.0 or higher (CVE-2021-44228). The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.

Magento Log4j

When you have Adobe Commerce installation the most possible software that might bring this vulnerability is ElasticSearch. If you have it in a different server or container you might check that server first.

If you have hosting support, for example, MageMojo, Ecritel, WebScale or Platform.sh, contact them as soon as possible. Having your own server on AWS or Digital Ocean, make sure you have your server has updated packages. The main updated package that you need to have is ElasticSearch.

In order to keep your server updated you should keep your Magento updated too, the last stable version of Magento is compatible with the lasted version of the server packages too, like PHP, ElasticSearch, etc. If you don’t have your upgrade planned, let’s create one for you.

ElasticSearch

If you use ElasticSearch 5, 6 or 7 you need to update it to use the version launched today (Dec 13, 2021). To mitigate attacks during the time you’re upgrading your ElasticSearch, you need to set the JVM option below.

-Dlog4j2.formatMsgNoLookups=true
Enter fullscreen mode Exit fullscreen mode

Fastly

For now, Fastly has not yet deployed a general WAF rule, if you want to mitigate against this please deploy this VCL on staging and test then deploy to prod. It’s going to block possible communication via a new Log4j script.

Magento 2 Fastly Log4j

How to detect it?

The easiest way to detect it is to run this script below, it’s going to verify if you have the vulnerability. In case you have that vulnerability in your server, you can run the second tool called Grype, it’s going to find any possible threat using this vulnerability.

Automated Check

wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash
Enter fullscreen mode Exit fullscreen mode

Or Manual check

Find files with suspect names

locate log4j|grep -v log4js;
Enter fullscreen mode Exit fullscreen mode

Find the lib log4j if it’s installed

dpkg -l|grep log4j;
Enter fullscreen mode Exit fullscreen mode

Check if Java it’s installed, if it’s check folders jar/war/ear

which java
Enter fullscreen mode Exit fullscreen mode

Thank you for checking it, and remember to keep your system updated.

💖 💪 🙅 🚩
rafaelcg
Rafael Corrêa Gomes

Posted on December 16, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related