Is Apache HTTP Server (Apache2) Vulnerable to Log4j CVE-2021-44228? Security Analysis & Mitigation Steps


3 views

The recent Log4j vulnerability (CVE-2021-44228) has caused widespread concern, but it's crucial to understand that Apache HTTP Server (Apache2) itself does not use Log4j for logging. The server relies on its own logging mechanism (mod_log_config), making it inherently unaffected by this specific vulnerability.

The log entries you're observing with patterns like ${jndi:ldap://} are actually scan attempts from automated bots probing for vulnerable systems. These include:

  • Kryptos Logic's scanning infrastructure (research/honeypot)
  • Malicious actors testing for Log4j exposure
  • DNS callback attempts (like dnslog.cn domains)

While Apache2 isn't vulnerable, you should:

  1. Verify Java Applications: Check if you're running any Java-based applications (Tomcat, Solr, etc.) that might use Log4j: 
    # Search for log4j files in common locations
find / -name "log4j*.jar" -type f 2>/dev/null
  2. Monitor for Suspicious Files: 
    # Check for recently created .class files
find / -name "*.class" -mtime -7 2>/dev/null
  3. Implement Web Application Firewall Rules to block Log4j exploit patterns: 
    # Example ModSecurity rule
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|REQUEST_BODY "@rx \$\{jndi:(ldap|rmi|dns):" \
    "id:1000,phase:2,deny,status:403,msg:'Potential Log4j Exploit Attempt'"

For defense-in-depth:

  • Network Segmentation: Isolate internet-facing servers
  • Outbound Filtering: Block suspicious DNS lookups
  • Log Monitoring: Set up alerts for JNDI patterns

Here's a Python script to scan Apache logs for exploit attempts:

import re
from collections import defaultdict

def scan_log_for_jndi(log_file):
    pattern = re.compile(r'\$\{jndi:(ldap|rmi|dns):[^\}]+}')
    hits = defaultdict(int)
    
    with open(log_file) as f:
        for line in f:
            matches = pattern.findall(line)
            if matches:
                ip = line.split()[0]
                hits[ip] += 1
                
    return dict(hits)

if __name__ == "__main__":
    results = scan_log_for_jndi('/var/log/apache2/access.log')
    for ip, count in results.items():
        print(f"Potential attacker: {ip} (attempts: {count})")
  • Apache2 itself is safe - no need to panic
  • Focus on Java applications running alongside Apache
  • Maintain good security hygiene (patches, monitoring)
  • Consider implementing the detection mechanisms shown above

Your Apache 2.4.38 logs show clear attempts to exploit the Log4j vulnerability (CVE-2021-44228). The patterns like ${jndi:ldap://[malicious-domain]} are telltale signs of scanning attempts. These entries come from:

  • Kryptos Logic (legitimate security researchers scanning for vulnerable systems)
  • dataastatistics.com (likely malicious actors)
  • dnslog.cn (common domain for vulnerability verification)

Apache HTTP Server (apache2) does not use Log4j for its core logging functionality. It uses its own logging mechanism (mod_log_config). The vulnerability attempts you're seeing are:

  1. Automated internet-wide scanning
  2. Attempts to exploit any potentially vulnerable Java-based applications behind your web server

For your specific case (Apache on Raspberry Pi OS):

# 1. Verify no Java applications are running behind Apache:
ps aux | grep java

# 2. Check for unexpected .class files (though unlikely on pure Apache):
find / -name "*.class" -type f -mtime -7

Since you're running a standard Apache installation without Java components, you can:

  • Monitor logs for repeated attempts
  • Consider blocking scanner IPs if they become intrusive

For defense-in-depth, even on non-vulnerable systems:

# Add these to your Apache configuration:
<IfModule mod_headers.c>
    Header always unset User-Agent
    Header always unset Referer
    RequestHeader unset User-Agent
    RequestHeader unset Referer
</IfModule>

Create a monitoring script to detect exploitation attempts:

#!/bin/bash
# log4j_scan_detect.sh
LOGFILE="/var/log/apache2/access.log"
PATTERN='\$\{jndi:(ldap▼显示?|rmi|dns):\/\/'

tail -n0 -F "$LOGFILE" | while read LINE; do
    if [[ "$LINE" =~ $PATTERN ]]; then
        echo "[WARNING] Potential Log4j exploit attempt detected:"
        echo "$LINE"
        # Optional: Add blocking rule
        IP=$(echo "$LINE" | awk '{print $1}')
        iptables -A INPUT -s "$IP" -j DROP
    fi
done

To be absolutely certain your system isn't affected:

# Check for any Java applications that might use Log4j:
dpkg -l | grep -E 'log4j|java|jre|jdk'

# Verify Apache modules:
apache2ctl -M | grep -i log

Remember that while Apache HTTP Server itself isn't vulnerable, any Java applications you might be running behind it (like Tomcat) could be at risk.