A SAFE DIGITAL JOURNEY

Threat Response: UPDATE 2: Threat Response – Remote Code Execution vulnerability in Java Log4j Library

14-12-2021

Last Friday, 10 December 2021, we have informed you about a new Remote code Execution (RCE) vulnerability in the Java library ‘Apache Log4j 2’ [1]. The vulnerability is being tracked as CVE-2021-44228 [2]. New information regarding this vulnerability has come to light.

Updates

Previously, version 2.15 of Log4j was thought of as secure and not vulnerable. Northwave has received information that this version is still vulnerable to multiple bypasses that allow attackers to exploit this vulnerability. This is indicated by multiple public sources as well [5,6], but is as of now unconfirmed. To reduce the probability of compromise, Northwave advises to upgrade Log4j to version 2.16. 

If you are using version 1.x of Log4j in a non-standard configuration you might be vulnerable to a different JNDI-related vulnerability [7].

Additionally, the previous update to this Threat Response contained a typo in a temporary mitigation step, it erroneously said log4j.formatMsgNoLookups=true instead of log4j2.formatMsgNoLookups=true. See below for full mitigation steps.
If you are unsure of what to do, you can refer to the decision tree at https://log4shell.northwave.nl/.

Edit 2021-12-16: This paragraph previously mentioned that the VMware workaround instructions for vCenter 6.7 were insufficient. Further investigation together with VMware shows that our conclusions about the Update Manager mitigation steps were incorrect. Sine the workaround instructions by VMware have been subject to change in the past few days based on new insights, we recommend VMware customers to double-check whether they performed all of the current instructions as referenced in VMSA-2021-0028.3.

Mitigation

A new version of Log4j, version 2.16.0, is available at this moment [3].

If any of the applications you have built yourself contain the Log4j package, we urgently advise to upgrade to the newest version and deploy the new package.

For third-party applications you are using, we advise to contact the vendor for any updates.

If, at this very moment, upgrading is not possible, there are the following mitigation alternatives:

  1. For versions Log4j 2.10 or higher temporary mitigation is possible by adding a variable to the configuration of the Java Virtual Machine running the application:
    1. log4j2.formatMsgNoLookups=true
  2. For versions Log4j 2.7 or higher the following can be added to the PatternLayout configuration:
    1. %m{nolookups}
  3. All versions:
    1. Removal of the class “JndiLookup” from the Java Classpath (e.g.: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class )

What will Northwave do?

For Northwave SOC customers using NIDS, or Endpoint Monitoring based on ESET or Microsoft Defender for Endpoint, Northwave is able to detect exploitation attempts. For detection on endpoints to be possible it is required to have the EDR agent (ESET or Defender for Endpoint) installed on the vulnerable host. Northwave is continuously updating the detections based on the latest information. Northwave Vulnerability Management customers will be informed if vulnerable Log4j instances are detected in their infrastructure.

Northwave can perform a check on external URLs to test whether your environment is vulnerable. Please contact the SOC with the specific url’s to perform the check on. Please note that the script only performs two specific checks: User Agent and HTTP GET request. There could be cases where other headers, specific input fields, etc. need to be targeted to trigger the vulnerability.

Northwave will monitor any developments regarding this vulnerability. We will will continuously update our page at https://log4shell.northwave.nl/ with developments around this vulnerability[14] . If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909

Disclaimer applies, see below.

Sources

[1]: https://logging.apache.org/log4j/2.x/

[2]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228https://www.randori.com/blog/cve-2021-44228/

[3]: https://logging.apache.org/log4j/2.x/download.html

[4]: https://log4shell.northwave.nl/

[5]: https://issues.apache.org/jira/plugins/servlet/mobile#issue/LOG4J2-3221

[6]: https://github.com/apache/logging-log4j2/pull/608

[7]: http://slf4j.org/log4shell.html

[8]: https://kb.vmware.com/s/article/87081?lang=en_US

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.