A critical zero-day vulnerability (CVE-2021-44228) was recently discovered in Apache Log4J, the popular Java open source logging library used in countless worldwide applications.
The maximum severity vulnerability has been identified as ‘Log4Shell’, which, if exploited, could permit a remote attacker to take control of vulnerable systems and execute arbitrary code remotely.
According to some security researchers, the flaw is the most serious discovered in the past decade due to its ease of exploitation and the sheer number of affected enterprise applications and cloud services. It is the most high-profile security vulnerability on the internet right now and comes with a severity score of 10, the maximum severity rating possible.
After Log4Shell, security researchers identified a few more vulnerabilities in the same Log4j library. These new vulnerabilities are – CVE-2021-45046 – a Remote code execution, CVE-2021-45105 – a denial of services and CVE-2021-4104 – a remote code execution.
Apache addressed this vulnerability by releasing a patch and security advisory with mitigation details.
What is Apache Log4J “Log4Shell” vulnerability?
Log4j is an open-source Java-based logging utility in the Apache Logging Services. Logging untrusted or user-controlled data with a vulnerable version of Log4J may result in Remote Code Execution (RCE) against your application. This includes untrusted data provided in logged errors such as exception traces, authentication failures, and other unexpected vectors of user-controlled input.
Invulnerable Log4j, an unauthenticated, remote attacker, could exploit it by sending a specially crafted JNDI injection request to a target server and writing in a log file, leading to arbitrary code execution. This allowed attackers to inject malicious payloads from LDAP servers or other JNDI services such as DNS, RMI, NIS, NDS, CORBA, and IIOP when the message lookup mechanism is enabled.
- Impacted Log4j versions: All versions from 2.0-beta9 to 2.14.1
- Severity: Critical
Why is the “Log4Shell” vulnerability critical?
An unauthenticated, remote attacker can exploit this vulnerability in simple web requests that target identified vulnerable systems. Successful exploitation could lead to arbitrary code execution, and the attacker can take complete control of the system.
Apache Log4j is widely used in cloud and enterprise software services, so publicly available exploits code, easy exploitations & detection evasions techniques make this vulnerability very dangerous.
CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 in log4j:
CVE-2021-45046 is Affecting versions from 2.0-beta9 to 2.15.0 excluding 2.12.2. Initially identified as “Low” severity, it is later moved to “Critical” remote code execution vulnerability. Logging configuration with non-default Pattern Layout with Context Lookup & control over Thread Context Map (MCD) pattern, the attacker can craft malicious input using JNDI Lookup pattern, which could lead to DOS or an information leak and remote code execution.
- Impacted Log4j versions: All versions 0-beta9 to 2.15.0 excluding 2.12.2
- Severity: Critical
CVE-2021-45105 is affecting Log4j versions from 2.0-beta9 to 2.16.0 wherein non-default configuration. The attacker can send crafted requests with recursive lookup, which control Thread Context Map data to cause a denial-of-service vulnerability.
- Impacted Log4j versions: All versions from 2.0-beta9 to 2.16.0
- Severity: High
CVE-2021-4104 is affecting Log4j version 1.2 when Log4j is configured to use JMSAppender to perform JNDI requests which can cause remote code execution.
- Impacted Log4j versions: version 1.2
- Severity: High
Mitigation of “Log4Shell”
- Immediately update to the latest Apache Log4j version from here.
- Please refer to Vendor Advisory.
- Update the Network security solutions and endpoints with the latest definitions.
Seqrite Coverage for “Log4Shell”
We have released IPS rules to identify and block remote attacks exploiting vulnerable Log4j installations. We’ll continue monitoring the developments around this threat and improve our detections if needed. We advise all our customers to patch their systems properly and keep the anti-virus software updated with the latest VDB updates.