This week brings more updates to the issues covered in our previous blogs describing vulnerabilities in Log4j, a Java-based logging utility. Apache has released Log4j version 2.17.0 to fix a recently discovered issue affecting Log4j version 2.16.0. This blog also includes new information for a previously reported vulnerability, and information on a list of third-party applications with Log4j vulnerabilities, compiled by the U.S. National Institute on Science and Technology (NIST). As this is a constantly developing situation, we recommend regular monitoring of the latest reports, vendor updates, and actioning the recommendations provided.
Details
CVE-2021-45046
Our blog of 16 December 2021 covered an incomplete fix of a Log4j vulnerability attempted with the Log4j version 2.15.0 release.
The problem in the 2.15.0 version, tracked as CVE-2021-45046, was originally assessed to be of low severity but has now been updated with a CVSS score of 9. The newly-discovered issue in version 2.15.0 allows for information leak and Remote Code Execution (RCE), but is limited to certain non-default configurations and specific conditions. Local code execution is possible in all environments on 2.15.0 version, regardless of their configurations. Organizations running Log4j version 2.16.0 are protected against CVE-2021-45046, as this version removes support for message lookup patterns and disables JNDI functionality by default.
CVE-2021-45105
On 18 December, Log4j received a further update, version 2.17.0, to address a high-severity vulnerability allowing a Denial-of-service (DoS) in Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3).
The issue, tracked as CVE-2021-45105, is rated with a CVSS score of 7.5. It was fixed in Log4j version 2.17.0 (for Java 8) and 2.12.3 (for Java version 7).
This CVE describes another method that abuses lookups in logged data, that are non-JNDI. This method is separate from, and not a variant of the original Log4Shell vulnerability.
Third Parties Affected
The National Institute of Standards and Technology (NIST) has now started adding Common Platform Enumeration (CPE) entries for the third-party applications and services affected by CVE-2021-45046, CVE-2021-44228, and CVE-2021-45105. These entries can be used to identify some of the vulnerable services in your environment.
Recommendations
We strongly advise following the guidance below and updating the affected products to the latest version as soon as possible.
If you have already updated Log4j to version 2.16.0 or you are still running versions prior to 2.16.0, we recommend updating to 2.17.0 as soon as possible. Although version 2.16.0 does protect from the RCE vector, given the heightened interest in this set of vulnerabilities, systems may be targeted for the DoS condition as well. The 2.17.0 update fully remediates all of the currently known vulnerabilities in Log4j. When an update to the log4j-core is applied, other JAR files (e.g.log4j-api) need to be updated as well.
We also recommend monitoring for third-party application updates and applying them when they become available.
For any products deployed on your network that are known to use Log4j but are not on the NIST list, we recommend contacting the vendor to inquire about the security status of their application in relation to this set of vulnerabilities.
We recommend reviewing the list of mitigations provided by the vendors and applying them in the event that you are unable to apply the updates immediately. Please keep in mind that these remediations only provide temporary and partial protection against this threat and should not be relied on as a replacement for a product update.
References
Apache Advisory
CISA Advisory
CVE-2021-44228
CVE-2021-45046
Limitations of CVE-2021-45046 Explained
NCSC-NL Advisory
Center for Internet Security Response Guide