Significant Cyber Event | Log4j Zero-day With Proof-of-Concept Code and Active Scanning Gets Security Fix

By

Read more on Log4j – 3 Steps to Detect and Patch the Log4Shell Vulnerability Now on the Insider Blog

12.18.21 Update

CVE-2021-45105 is now recommending updating to 2.17.0 if running Java version 8 or later. Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.For the latest Log4Shell updates and additional mitigation steps for customers running Java 7, or for customers unable to update at this time, read the updates below.

12.14.21 Update

Due to CVE-2021-44228 being incomplete and the subsequent release of CVE-2021-45046, deepwatch recommends that customers upgrade to version 2.16.0 if running Java version 8 or later. Additional mitigation steps for customers running Java 7, or for customers unable to update at this time, can be found below.

Apache released a security update that states that in some non-default configurations, the fix for CVE-2021-44228 in Apache Log4j 2.15.0 was found to be incomplete. When the logging configuration uses a non-default Pattern Layout with either a Context Lookup or a Thread Context Map pattern, this could allow threat actors with control over MDC input data to craft malicious input data using a JNDI Lookup pattern, resulting in a denial of service (DOS) attack.

12.11.21 Update

Since the 12.10.21 update, deepwatch has released and enabled a new alert to detect the log4j vulnerability for customers. deepwatch Squads and Threat Operations teams are working with customers to mitigate their security risks with regards to this vulnerability.

12.10.21 Update

Since this blog’s initial publication, the deepwatch Threat Intel Team has learned that multiple sources are now reporting the active exploitation of  CVE-2021-44228. In response, deepwatch has identified multiple detections that may observe possible exploitation, ensure visibility across our customer base, and have detections moving forward. In addition, deepwatch proactively searched in our customer environments for possible exploitation attempts.

Key Points:

  • The Apache Software Foundation has issued an emergency security update to the Java library Log4j after a security researcher released proof-of-concept code and reports of active scanning for vulnerable servers.
  • This vulnerability affects all versions from 2.0-beta9 to 2.14.1 with a severity score of 9.8 on the CVSSv3 severity scale and provides the threat actor with remote code capabilities.
  • The deepwatch Threat Intel Team assesses with high confidence that threat actors will exploit this vulnerability due to PoC being released and reports from two separate cybersecurity firms that servers are being actively scanned for this vulnerability. Therefore it is imperative that all organizations update Log4j to 2.15.0 as soon as possible.

Summary

The Apache Software Foundation has issued an emergency security update to the Java library Log4j that provides logging capabilities to address a zero-day vulnerability known as the Log4Shell attack. The vulnerability, tracked as CVE-2021-44228, had proof-of-concept code (PoC) disclosed December 9th on Twitter. Multiple threat actors are already scanning for apps that may be vulnerable to the Log4Shell attack, according to reports from security firms Bad Packets and Greynoise. Due to PoC being released and active scanning for vulnerable servers, server owners will have a limited time to patch before they are actively exploited. 

This vulnerability provides a threat actor with remote code execution (RCE) capabilities, and the Cybersecurity and Infrastructure Security Agency states in their Current Activity Advisory that “A remote attacker could exploit this vulnerability to take control of an affected system.” This vulnerability affects all versions from 2.0-beta9 to 2.14.1. Since the flaw is remotely exploitable and requires little technical skill to execute, this is a critical vulnerability with a severity score of 9.8 on the CVSSv3 severity scale.

 Source: https://chandanbn.github.io/cvss/#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Almost all of the Apache Software Foundation’s enterprise products, including Struts, Flink, Druid, Flume, Solr, Kafka, Dubbo, and possibly others, include the vulnerable Java library, Log4j.

In addition, other open-source projects such as Redis, ElasticSearch, Elastic Logstash, the National Security Agency’s Ghidra, and others use it in some way. Inherently, any company that uses one of these products is indirectly vulnerable to the Log4Shell RCE exploit.

CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option in the library’s configuration is set to false, according to p0rz9, the Chinese security researcher who first posted the exploit code online. 

Heige, the founder and CEO of Chinese security firm KnownSec 404 Team and one of the first researchers to understand the vulnerability’s impact, said in a statement to The Record, “that today’s Log4j 2.15.0 release basically sets this option to true in order to block attacks. Log4j users who update to the 2.15.0 version but then set this flag back to false will remain vulnerable to attacks. Similarly, Log4j users who can’t update but set the flag to true can block attacks even on older versions.” 

Unfortunately, this option is set to false by default in older Log4j releases, making all previous Log4j releases vulnerable by default since 2.10.0, when this option was added.

deepwatch Threat Intelligence Outlook

The deepwatch Threat Intel Team assesses with high confidence that threat actors will exploit this RCE vulnerability due to a PoC being released and reports from two independent cybersecurity firms that servers are being actively scanned for this vulnerability. Due to the severity of this vulnerability, reporting of active scanning, the prevalence of this vulnerable Java library across enterprises, and PoC released, all organizations are highly encouraged to update Log4j to 2.15.0 as soon as possible. If you cannot update at this time, it is recommended that organizations set the library’s configuration option for log4j2.formatMsgNoLookups to true.

Resources

Apache Software Foundation Advisory – https://logging.apache.org/log4j/2.x/security.html

Vulnerability Details – https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Subscribe to the deepwatch Insider Blog