16 December 2021 Update: There have been several notable updates since this blog was published. Please see part 2 of the blog which includes information on another vulnerability which was fixed in version 2.16.0 of Log4j. Log4j 2.15.0 which was recommended here may still be vulnerable under certain non-default configurations.
On 6 December 2021, Apache Software Foundation released an urgent fix for a critical vulnerability in Apache Log4j. Since then, multiple sources reported active scanning for this flaw heightening the risk of immediate exploitation of vulnerable systems. We recommend updating the affected product to the latest version as soon as possible and, as required, following additional mitigation advice provided by Apache.
Details
Apache log4j2 version log4j-2.15.0-rc2 contains an out-of-band security update that fixes a critical flaw in Log4j. The vulnerability, tracked as CVE-2021-44228 and known by the names of Log4Shell or LogJam, is rated with a maximum Base CVSS Score of 10. With this vulnerability, a threat actor could perform Remote Code Execution (RCE) by constructing a special data request packet and gaining full control of the server.
Proof-of-concept (POC) implementation for this CVE is publicly available on GitHub. Several reports have emerged indicating that threat actors are already scanning the internet in an attempt to locate vulnerable servers. The researcher who published the POC stated that the flaw can only be exploited when ‘log4j2.formatMsgNoLookups’ option in the library’s configuration is set to false.
The feature causing this vulnerability has been disabled by default in version 2.15.0. The original version of the fix, log4j-2.15.0-rc1, was reported to be insufficient, and log4j-2.15.0-rc2 was issued to correct it. Several workarounds are available for those who are unable to fix the vulnerability now.
Apache Log4j is a Java-based logging framework used by multiple internet services and third-party applications, which are reported to be affected by this flaw, including:
- Apple iCloud, Tencent, Steam, Twitter, Baidu, DIDI,JD, NetEase, CloudFlare, Amazon, and Tesla.
- Apache Solr, Apache Druid, Apache Flink, Apache Struts2, Flume, Dubbo, Redis, Logstash, ElasticSearch, Kafka, Ghidra, and Minecraft.
- Depending on the specifics of each application, Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are reported to be less affected by this attack vector.
Recommendations
- We strongly advise following Apache’s guidance and updating the affected product to the latest version (Apache log4j2 version log4j-2.15.0-rc2) as soon as possible.
- We recommend reviewing the list of mitigations provided by Apache and applying them in the event that you are unable to apply the updates immediately. One of the mitigations listed is setting ‘log4j2.formatMsgNoLookups’ to True. This may impact the behavior of your system’s logging if it relies on Lookups for message formatting.
- We also recommend monitoring for third-party updates and applying them when they become available.
References
