x
URGENT MESSAGE: Log4j Zero-Day Vulnerability Response| Learn more
×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

A Vulnerability in Apache Log4j Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2021-158

DATE(S) ISSUED:

12/10/2021

OVERVIEW:

A vulnerability has been discovered in Apache Log4j, a very ubiquitous logging package for Java. Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of the systems and services that use the Java logging library, including many services and applications written in Java. Depending on the privileges associated with these systems and services, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If these systems and services have been configured to have fewer user rights, exploitation of this vulnerability could have less impact than if they were configured with administrative rights.

THREAT INTELLIGENCE:

According to numerous open source reports, Log4j is used with Apache software like Apache Struts, Solr, Druid, along with other technologies. Many websites of manufacturers and providers have been found to be affected including Apple, Twitter, Steam, Tesla and more. Threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data. In addition, it has been reported that organizations are already seeing signs of exploitation in the wild with further attempts on other websites likely.

SYSTEMS AFFECTED:

  • Apache Log4j between versions 2.0 and 2.14.1
  • Apache Log4j 1.2 (EOL) and prior (CVE-2021-4104)
  • Apache Log4j between versions 2.0 and 2.16.0 (CVE-2021-45105)

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

A vulnerability has been discovered in Apache Log4j, a very ubiquitous logging package for Java. This vulnerability resides in the JNDI lookup feature of the log4j library. The JNDI lookup feature of log4j allows variables to be retrieved via JNDI - Java Naming and Directory Interface. This is an API that provides naming and directory functionality to Java applications. While there are many possibilities, the log4j API supports LDAP and RMI (Remote Method Invocation).

Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of the systems and services that use the Java logging library, including many services and applications written in Java. Depending on the privileges associated with these systems and services, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If these systems and services have been configured to have fewer user rights, exploitation of this vulnerability could have less impact than if they were configured with administrative rights.

December 20th – UPDATED TECHNICAL SUMMARY:
Two new vulnerabilities have been discovered in Apache Log4j. These include CVE-2021-4104 & CVE-2021-45105:

  • CVE-2021-4104 involves an untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0). This issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. The impact to confidentiality, integrity and availability is high, but the attack complexity is much higher for a successful exploitation as it requires a non-default configuration.
  • CVE-2021-45105 is a denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0).

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply the latest patches (version 2.15.0) provided by Apache after appropriate testing.
  • Run all systems and services as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Apply the Principle of Least Privilege to all systems and services.

December 13th – UPDATED RECOMMENDATIONS:

  • Run the “Log4Shell” Vulnerability Tester provided by Huntress to test whether your applications are vulnerable to CVE-2021-44228 (please see references for the Huntress link).
  • Check the GitHub repository listed in the reference section to see all the Security Advisories & Bulletins related to CVE-2021-44228, which include applications affected, version numbers, and the associated patches that should be implemented if you have the affected version in your environment.

December 14 - UPDATED RECOMMENDATIONS:

  • The previous patch iteration 2.15.0 does not fully remediate the vulnerability, and thus it is recommended to apply the latest patch (version 2.16.0)

December 20th – UPDATED RECOMMENDATIONS:

  • Apache has released log4j version 2.17.0 due to two new vulnerabilities being discovered (CVE-2021-45105 and CVE-2021-4104). It is recommended to apply the latest patch (version 2.17.0).
  • We have released a CIS Log4j Response Resource Page, which includes the most up to date information regarding our Log4j Vulnerability response and the proper mitigations that should be taking place in your environment. It also includes a play book outlining the actions that should be taken for detecting, analysis, patching, and reaching out to the MS-ISAC for additional assistance regarding Log4j.

REFERENCES:

SANS Technology Institute:
https://isc.sans.edu/diary/28120
Huntress Log4Shell Tool:
https://log4shell.huntress.com/

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil Newsletter 13 Jan 2022
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil Blog post 12 Jan 2022