Security

Mitigation Instructions for CVE-2021-44832 (log4shell)

Written by CyRisk Vulnerability Management Team | Apr 11, 2023 7:00:00 PM

SUBJECT: Apache Log4j (also called Log4Shell) Vulnerability CVE-2021-44832

CRITICALITY: Extremely Critical.

OVERVIEW:  On December 9, 2021, security researchers discovered a critical vulnerability in a widely  used, Java-based software library called Log4J. As the name suggests, Log4J is used  for logging requests, and it is estimated that the vulnerability may be present in over 100  million instances around the world.  

The widespread inclusion of this component as a direct or indirect dependency means  that even when you identify and patch systems you directly develop or manage, it is  possible that the vulnerability still exists in your environment as an indirect dependency  used by some other dependency. Further, the code may not even appear as a separate  file but may be incorporated into the jar file of some other component.

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2  and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker  can execute remote code on the server with the same privileges as the Java-based  application that invoked Apache Log4j v2, when message lookup substitution is  enabled. This allows the attacker to take full control of the vulnerable system.

It is important to identify and patch all systems with the Log4Shell vulnerability. In some  cases, vendors have mitigated the vulnerability, but end users must still take actions to  fully implement the fix. If vulnerable systems have been exposed to the internet,  patching will prevent future exploitation, but will not eradicate malware already present  on compromised systems. Due to the ease of exploitation, and the fact that attackers  exploiting the Log4J vulnerability can gain full control of compromised systems, it is  highly recommended that vulnerable systems be investigated for indicators of  compromise.

THREAT INTELLIGENCE:

The first active exploitation of this vulnerability in the wild has been reported as of  December 1, 2021. Exploit code is publicly available for this vulnerability.

SOLUTION:

In order to mitigate Log4j vulnerabilities in solution stacks that accept data from the  internet, immediately apply appropriate patches (or apply workarounds if unable to  upgrade), conduct a security review, and report compromises to your insurance  company claims contact number at: (855) 440-3400. Please double check that this is  the same claims number that is listed on your policy. 

To reduce the risk posed by the Log4Shell vulnerabilities, please take the following  steps:

  1. Identify assets affected by Log4Shell and other Log4j-related vulnerabilities,
  2. Upgrade Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
  3. Initiate hunt and incident response procedures to detect indicators of compromise via  Log4Shell exploitation. 
  4. Immediately identify, mitigate, and update affected products that use Log4j to the latest  patched version. Apache Log4j 2 can be downloaded here. 

a. For environments using Java 8 or later, upgrade to Log4j version 2.17.1 (released  12/28/2021) or newer. 

b. For environments using Java 7, upgrade to Log4j version 2.12.4 (released 12/28/2021).

c. For environments using Java 6, upgrade to Log4j version 2.3.2 (released 12/28/2021). 

Note: Limit Java Naming and Directory Interface (JNDI) data source names to the java protocol in  Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.  

Note: Java 6 and Java 7 are currently end of life. Organizations should upgrade to Java 8. 3. Inform your end users of products that contain these vulnerabilities and strongly urge them  to prioritize software updates. 

Note: CISA is actively maintaining a GitHub page and repository with patch information for  products known to be affected by Log4Shell. CISA has also notified ICS vendors that may  be affected and has asked them to confirm any assets affected by Log4Shell and to apply  available mitigations. 

REFERENCES: 

Apache Log4j Security Vulnerabilities: 
https://logging.apache.org/log4j/2.x/security.html

Download Apache Log4j 2 
https://logging.apache.org/log4j/2.x/download.html

NIST National Vulnerability Database CVE-2021-44228 Detail 
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Cybersecurity & Infrastructure Security Agency (CISA) 
Apache Log4j Vulnerability Guidance 
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

CISA Log4j (CVE-2021-44228) Affected Vendor & Software Listhttps://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md