Threat Response: UPDATE 3: Threat Response – Remote Code Execution vulnerability in Java Log4j Library

15-12-2021

Last Friday, 10 December 2021, we have informed you about a new Remote code Execution (RCE) vulnerability in the Java library ‚Apache Log4j 2‘ [1]. The vulnerability is being tracked as CVE-2021-44228 [2]. New information regarding this vulnerability has come to light, which changes our advice on actions. Furthermore, the Northwave CERT is assisting customers who have been hit by breaches that started through log4j, which corroborates the general picture in the security community that this vulnerability is actively being used in the wild.

Updates

Yesterday we told you that we no longer considered Log4j 2.15 secure. That has become confirmed: Log4j 2.15 suffers from other vulnerabilities related to JNDI [3, 4]. Northwave advises to upgrade Log4j to version 2.16. This also means that if your vendor patched to version 2.15, you should request and verify that they will upgrade to 2.16.

The information regarding these new vulnerabilities in 2.15 also means that previously mentioned mitigations do not suffice. See below for updated mitigation steps.

If you are unsure of what to do, you can refer to the decision tree at https://log4shell.northwave.nl/. We have updated it accordingly.

Edit 2021-12-16: This paragraph previously mentioned that the VMware workaround instructions for vCenter 6.7 were insufficient. Further investigation together with VMware shows that our conclusions about the Update Manager mitigation steps were incorrect. Sine the workaround instructions by VMware have been subject to change in the past few days based on new insights, we recommend VMware customers to double-check whether they performed all of the current instructions as referenced in VMSA-2021-0028.3.

Additionally, the various potential ways to exploit this vulnerability mean that we no longer consider a network scan a good approach to checking whether you are vulnerable. A filesystem scan should be run in order to check if Log4j packages are present. For our latest recommendations on this, check https://log4shell.northwave.nl.

Mitigation

A new version of Log4j, version 2.16.0, is available at this moment [5].

If any of the applications you have built yourself contain the Log4j package, we urgently advise to upgrade to the newest version and deploy the new package.

For third-party applications you are using, we advise to contact the vendor for any updates.

If, at this very moment, upgrading is not possible, there are the following mitigation alternatives:

  1. All versions:
    1. Removal of the class „JndiLookup“ from the Java Classpath (e.g.: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class )
  2. All versions < 2.16
    1. Consider taking the applications offline

What will Northwave do?

For Northwave SOC customers using NIDS, or Endpoint Monitoring based on ESET or Microsoft Defender for Endpoint, Northwave is able to detect exploitation attempts. For detection on endpoints to be possible it is required to have the EDR agent (ESET or Defender for Endpoint) installed on the vulnerable host. Northwave is continuously updating the detections based on the latest information. Northwave Vulnerability Management customers will be informed if vulnerable Log4j instances are detected in their infrastructure.

Northwave considers the previously mentioned network scan insufficient to check whether you are vulnerable. We advise a filesystem scan in order to check if Log4j is in use. Northwave will monitor any developments regarding this vulnerability. We will continuously update our page at https://log4shell.northwave.nl/ with developments around this vulnerability[14] . If new critical information about this threat arises, we will reach out to you. If you need additional information, you can call us by phone or send us an email.

E-mail: [email protected] Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Sources

[1]: https://logging.apache.org/log4j/2.x/

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228https://www.randori.com/blog/cve-2021-44228/

[3]: https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/

[4]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

[5]: https://logging.apache.org/log4j/2.x/download.html

[6]:https://kb.vmware.com/s/article/87081?lang=en_US

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.