SUBJECT: Apache Log4j (also called Log4Shell) Vulnerability CVE-2021-44832
CRITICALITY: Extremely Critical.
OVERVIEW: On December 9, 2021, security researchers discovered a critical vulnerability in a widely used, Java-based software library called Log4J. As the name suggests, Log4J is used for logging requests, and it is estimated that the vulnerability may be present in over 100 million instances around the world.
The widespread inclusion of this component as a direct or indirect dependency means that even when you identify and patch systems you directly develop or manage, it is possible that the vulnerability still exists in your environment as an indirect dependency used by some other dependency. Further, the code may not even appear as a separate file but may be incorporated into the jar file of some other component.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker can execute remote code on the server with the same privileges as the Java-based application that invoked Apache Log4j v2, when message lookup substitution is enabled. This allows the attacker to take full control of the vulnerable system.
It is important to identify and patch all systems with the Log4Shell vulnerability. In some cases, vendors have mitigated the vulnerability, but end users must still take actions to fully implement the fix. If vulnerable systems have been exposed to the internet, patching will prevent future exploitation, but will not eradicate malware already present on compromised systems. Due to the ease of exploitation, and the fact that attackers exploiting the Log4J vulnerability can gain full control of compromised systems, it is highly recommended that vulnerable systems be investigated for indicators of compromise.
THREAT INTELLIGENCE:
The first active exploitation of this vulnerability in the wild has been reported as of December 1, 2021. Exploit code is publicly available for this vulnerability.
SOLUTION:
In order to mitigate Log4j vulnerabilities in solution stacks that accept data from the internet, immediately apply appropriate patches (or apply workarounds if unable to upgrade), conduct a security review, and report compromises to your insurance company claims contact number at: (855) 440-3400. Please double check that this is the same claims number that is listed on your policy.
To reduce the risk posed by the Log4Shell vulnerabilities, please take the following steps:
a. For environments using Java 8 or later, upgrade to Log4j version 2.17.1 (released 12/28/2021) or newer.
b. For environments using Java 7, upgrade to Log4j version 2.12.4 (released 12/28/2021).
c. For environments using Java 6, upgrade to Log4j version 2.3.2 (released 12/28/2021).
Note: Limit Java Naming and Directory Interface (JNDI) data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Note: Java 6 and Java 7 are currently end of life. Organizations should upgrade to Java 8. 3. Inform your end users of products that contain these vulnerabilities and strongly urge them to prioritize software updates.
Note: CISA is actively maintaining a GitHub page and repository with patch information for products known to be affected by Log4Shell. CISA has also notified ICS vendors that may be affected and has asked them to confirm any assets affected by Log4Shell and to apply available mitigations.
REFERENCES:
Apache Log4j Security Vulnerabilities:
https://logging.apache.org/log4j/2.x/security.html
Download Apache Log4j 2
https://logging.apache.org/log4j/2.x/download.html
NIST National Vulnerability Database CVE-2021-44228 Detail
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Cybersecurity & Infrastructure Security Agency (CISA)
Apache Log4j Vulnerability Guidance
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
CISA Log4j (CVE-2021-44228) Affected Vendor & Software Listhttps://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md