High Threat Security Alert (A21-12-05): Vulnerability in Apache Log4j


 

Published on: 10 December 2021

Last update on: 15 December 2021

  
  

 [Updated on 15 December 2021]

According to the latest security advisory published by Apache Software Foundation, Apache Log4j version 2.15.0 and the previously suggested mitigation measures did NOT completely address the remote code execution vulnerability (CVE-2021-44228).  Apache has released another Log4j version 2.16.0 to fix the vulnerability (CVE-2021-44228) as well as a newly discovered denial-of-service vulnerability (CVE-2021-45046). 

If the update cannot be applied, please implement the mitigation measure by removing the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.  Details could be found at the following URL: 
https://logging.apache.org/log4j/2.x/security.html

Please note that only applications using the log4j-core component are vulnerable.  Applications using only the log4j-api component without the log4j-core component are not vulnerable. 

 [Updated on 13 December 2021]

In addition to in-house and self-developed systems/applications, commercial products and open-source software/libraries may also be affected by the vulnerability. An inexhaustive list of advisories published by product vendors is provided below. It is strongly recommended to consult product vendors if the used software products are affected and corresponding patches/mitigation measures are available. If so, system administrators should apply the patches or follow the recommendations provided by the product vendors to mitigate the risk.

Apache Struts
https://struts.apache.org/announce-2021#a20211212-2

Cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd

Fortinet
https://www.fortiguard.com/psirt/FG-IR-21-245

VMware
https://www.vmware.com/security/advisories/VMSA-2021-0028.html

 

Description:

Apache Software Foundation has released a security advisory to address a vulnerability in Apache Log4j. A remote attacker could send a specially crafted request to exploit the vulnerability. 

Reports indicate that the vulnerability (CVE-2021-44228) is being actively exploited and a proof-of-concept (PoC) code for the vulnerability is publicly available. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Java-based systems or applications using Apache Log4j with version prior to 2.15.0-rc2

 

Impact:

A successful attack could lead to remote code execution on an affected system.

 

Recommendation:

Apache Software Foundation has released new version of the product to address the issue and it can be downloaded at the following URL:

https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

If the security patch could not be applied immediately, administrators of affected systems should follow the recommendations provided by Apache Software Foundation and take immediate actions to mitigate the risks:

  • Add -Dlog4j.formatMsgNoLookups=true as a command line option or
    add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath.
  • Specify %m{nolookups} in the PatternLayout configuration.
  • Remove the JndiLookup and JndiManager classes from the log4j-core jar.  Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.

 

More Information:

  • https://logging.apache.org/log4j/2.x/
  • https://www.cert.org.cn/publish/main/9/2021/20211210110550958546708/20211210110550958546708_.html
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

 



Tag: Apache , Log4j
Tags