Log4j update – Apache releases the third patch to address a new Log4j Vulnerability
by CIRT Team
Log4j is an open-source logging framework developed by the Apache Foundation which is incorporated into many Java-based applications on both servers and end-user systems.
A series of vulnerabilities in the popular Java-based logging library Log4j is under active exploitation by multiple threat actors.
The current list of vulnerabilities and recommended fixes are listed here:
CVE-2021-44228 (CVSS score: 10.0- CRITICAL) – Apache Log4j2 JNDI features do not protect against attacker-controlled LDAP and other JNDI-related endpoints.
A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1. Fixed in Log4j 2.15.0 (Java 8).
Reference: https://logging.apache.org/log4j/2.x/security.html
CVE-2021-45046 (CVSS score: 9.0 – CRITICAL) – Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
Affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2. Fixed in Log4j 2.12.2 (Java 7) and Log4j 2.16.0 (Java 8).
Reference:https://logging.apache.org/log4j/2.x/security.html
CVE-2021-45105 (CVSS score: 7.5 – HIGH) – Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.
When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control
over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError
that will terminate the process. This is also known as a DOS (Denial of Service) attack.
Affecting Log4j versions from 2.0-beta9 to 2.16.0. Fixed in Log4j 2.17.0 (Java 8).
Reference: https://logging.apache.org/log4j/2.x/security.html
Recommended action:
It is suggested to follow the advice of Apache and install the latest updates immediately. Organizations should update both internet-facing and non-internet facing software.
Enumerate unknown instances of Log4j within the Organization.
Deploy protective network monitoring/blocking. Organizations using Web Application Firewalls (WAFs) should ensure rules are available to protect against this vulnerability.
Reference URLs:
https://logging.apache.org/log4j/2.x/security.html
https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability/
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-45105
Published: 21 December 2021, 16:06:44 BST
Recommended Posts
Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh
06 Nov 2024 - Security Advisories & Alerts