14.12.2021

Apache Log4j: a zero-day threat to investigate

Security

A critical Apache Log4j vulnerability has been reported to the Restena-CSIRT. Research and education institutions in Luxembourg are invited to apply current and future security patches.

Early December 2021, the Restena Foundation’s Computer Security Incident Response Team (CSIRT) received reports about a critical vulnerability affecting the Apache Log4j logging library. 

Large-scale vulnerability

The Apache Log4j vulnerability has been published as CVE-2021-44228. The exploit allows attackers to remote code execution and can be used to gain control of the machine. A priori, it is exploited in the wild, as the exploit is very simple to execute. A Proof of Concept (POC) has also been published.

Apache Log4j vulnerability criticality has been assessed using the Common Vulnerability Scoring System (CVSS) and received a score of 10.0, out of 10. 

It affects everybody as it is a commonly used open-source logging framework for Java. Impacted vendors are, among others: Apple, Steam, Twitter, Cloudflare, Amazon, Tesla, multiple Apache frameworks, Kafka, Webex, VMware, Cisco.  

Recommendations 

All research and education institutions are potentially impacted by this vulnerability. They are therefore encouraged to investigate this zero-day threat and take appropriate action by reviewing logs for impacted applications on suspect behavior and patch if possible.

1. Verify if you are affected! 

Ask your commercial vendors if they use log4j and if they can provide patches! If patching is not possible, we propose the following mitigation measures:

  • In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. 
  • For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. 
  • For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

2. Upgrade to log4j-2.16.0

3. Apply any upcoming security patches as soon as possible:

The affected library is used by numerous servers, appliances and even desktop software.

Informations complémentaires

Liens

‘CVE-2021-44228 Detail' published on National Institute of Standards and Technology website
‘Apache Log4j Security Vulnerabilities’ published on the Apache Software Foundation Wiki

Contact

csirt@restena.lu