Rafael Corrêa Gomes

Adobe Commerce Log4j

Learn what Log4j is, how to verify it and how to avoid this attack on your Magento Commerce.
Adobe Commerce - Magento Log4j

What’s Log4j?

It’s a Java framework used by developers to keep records of activity within an application. Although, the hacker has been using it to exploit the flaw is strategically sends a malicious code string that eventually gets logged by Log4j version 2.0 or higher (CVE-2021-44228). The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.

Magento Log4j

When you have Adobe Commerce installation the most possible software that might bring this vulnerability is ElasticSearch. If you have it in a different server or container you might check that server first.
If you have hosting support, for example, MageMojo, Ecritel, WebScale or Platform.sh, contact them as soon as possible. Having your own server on AWS or Digital Ocean, make sure you have your server has updated packages. The main updated package that you need to have is ElasticSearch.
In order to keep your server updated you should keep your Magento updated too, the last stable version of Magento is compatible with the lasted version of the server packages too, like PHP, ElasticSearch, etc. If you don’t have your upgrade planned, let’s create one for you.

ElasticSearch

If you use ElasticSearch 5, 6 or 7 you need to update it to use the version launched today (Dec 13, 2021). To mitigate attacks during the time you’re upgrading your ElasticSearch, you need to set the JVM option below.

-Dlog4j2.formatMsgNoLookups=true

Fastly

For now, Fastly has not yet deployed a general WAF rule, if you want to mitigate against this please deploy this VCL on staging and test then deploy to prod. It’s going to block possible communication via a new Log4j script.

How to detect it?

The easiest way to detect it is to run this script below, it’s going to verify if you have the vulnerability. In case you have that vulnerability in your server, you can run the second tool called Grype, it’s going to find any possible threat using this vulnerability.

Automated Check

wget https://raw.githubusercontent.com/rubo77/log4j_checker_beta/main/log4j_checker_beta.sh -q -O - |bash

Or Manual check

Find files with suspect names

locate log4j|grep -v log4js;

Find the lib log4j if it’s installed

dpkg -l|grep log4j;

Check if Java it’s installed, if it’s check folders jar/war/ear

which java

Thank you for checking it, and remember to keep your system updated.

About me

Rafael Corrêa Gomes

Rafael Corrêa Gomes

Senior ecommerce developer and architect based in Montreal, Canada. With experience with saas, product and team management using Magento, Shopify, PHP, JavaScript and NodeJS.