Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users

<p>A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging.<sup>[1]</sup> The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.<sup>[2]</sup></p> <p>The Apache Software Foundation (ASF) rates CVE-2021-44228 as a 10 on the common vulnerability scoring system (CVSS) scale.<sup>[3]</sup> Log4Shell is a remote code execution (RCE) vulnerability that is exploited via improper deserialization of user input that is sent into the Log4j package framework.<sup>[4]</sup> Specifically, the vulnerability is located in the JNDI component of the LDAP connector.<sup>[5]</sup> A threat actor’s objective is to trick JNDI into connecting to an threat actor-controlled directory.<sup>[6]</sup> However, the exploitation reliability of Log4Shell is dependent on how the package is implemented.</p> <ul> <li><strong>Affected versions:</strong> log4j version 2.0-beta9 to version 2.14.1</li> <li><strong>Attack Complexity:</strong> Low</li> <li><strong>Privileges Required:</strong> None</li> <li><strong>User Interaction:</strong> Not required</li> </ul> <hr/> <h3>Update: December 28, 2021</h3> <h2>Overview</h2> <p>Another vulnerability, registered as CVE-2021-44832 was identified by Checkmarx researchers Yaniv Nizry and Liad Levy and released to the public on December 28, 2021.<sup>[7]</sup> The initial rollout of the vulnerability description by Apache stated that it was an RCE, however, Nizry tweeted that the vulnerability results in arbitrary code execution (ACE).<sup>[8]</sup> ACE requires previous access to execute code, while RCE does not require previous access or modification but can attack directly. As of this writing, only the Checkmarx blog is referring to CVE-2021-44832 as solely an arbitrary code execution (ACE) vulnerability, which requires an actor to already have permissions to conduct the attack.<sup>[9]</sup></p> <table class="table table-striped table-bordered"> <tbody> <tr> <td>CVE-2021-44832</td> </tr> <tr> <td>Arbitrary code execution (ACE) / RCE</td> </tr> <tr> <td>Severity: Moderate</td> </tr> <tr> <td>CVSS score: 6.6</td> </tr> <tr> <td>Affected versions: 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4</td> </tr> <tr> <td>NIST DOP: December 28, 2021</td> </tr> </tbody> </table> <hr/> <h3>Update: December 22, 2021</h3> <p>Three additional vulnerabilities related to the initial Log4Shell (CVE-2021-44228) vulnerability have been identified as security patches have rolled out, and threat actors familiarized themselves with this new attack vector. These vulnerabilities are:</p> <table class="table table-striped table-bordered"> <tbody> <tr> <td>CVE-2021-45046</td> <td>CVE-2021-4104</td> <td>CVE-2021-45105</td> </tr> <tr> <td>RCE</td> <td>RCE</td> <td>Denial-of-service</td> </tr> <tr> <td>Severity: Critical</td> <td>Severity: High</td> <td>Severity: High</td> </tr> <tr> <td>CVSS score: 9.0</td> <td>CVSS score: 8.1</td> <td>CVSS score: 7.5</td> </tr> <tr> <td>Affected versions: 2.0-beta9 to 2.15.0, excluding 2.12.2</td> <td>Log4j 1.2</td> <td>Affected versions: 2.0-beta9 to 2.16.0, excluding 2.12.3</td> </tr> <tr> <td>NIST DOP: December 14, 2021</td> <td>NIST DOP: December 14, 2021</td> <td>NIST DOP: December 18, 2021</td> </tr> </tbody> </table> <h2>How Anomali Can Help</h2> <h3>Update: December 22, 2021</h3> <p>The Anomali Threat Research team has updated the previously-released ThreatStream dashboard “Log4Shell (CVE-2021-44228)” to include Log4j vulnerabilities. The updated dashboard title is Log4Shell (CVE-2021-44228) and Variants: CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832.” The dashboard can be used for tracking associated indicators, research articles and vulnerable products. Customers can use Anomali Integrator to block specific IOCs in their downstream security integrations.</p> <hr/> <p>Anomali Match can provide alerting and retrospective lookup capabilities to detect and contextualize matches for these indicators.</p> <p><img alt="Anomali Log4Shell Dashboard" src="https://cdn.filestackcontent.com/iIIATVaRIOXEleG9TpyN"/></p> <p>For more information, reach out to your Customer Success Manager.</p> <h2>Endnotes</h2> <p><sup>[1]</sup> “CVE-2021-44228 Detail,” NVD NIST, access December 13, 2021, published December 10, 2021https://nvd.nist.gov/vuln/detail/CVE-2021-44228; Free Wortley, et al., “Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package,” LunaSec, accessed December 13, 2021, published December 12, 2021, https://www.lunasec.io/docs/blog/log4j-zero-day/.</p> <p><sup>[2]</sup> Dan Goodin, "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet," Ars Technica, accessed December 28, 2021, published December 9, 2021, https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/; Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV, accessed December 13, published December 10, 2021, https://www.elastic.co/blog/detecting-log4j2-with-elastic-security.</p> <p><sup>[3]</sup> “CVE-2021-44228 Detail,” NVD NIST.</p> <p><sup>[4]</sup> Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV.</p> <p><sup>[5]</sup> “Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild,” Cisco Talos Blog, accessed December 13, 2021, published December 10, 2021, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html.</p> <p><sup>[6]</sup> Hans-Martin Münch, “VULNERABILITY NOTES: LOG4SHELL,” Mogwai Labs, accessed December 13, 2021, published, December 10, 2021, https://mogwailabs.de/en/blog/2021/12/vulnerability-notes-log4shell/?s=09.</p> <p><sup>[7]</sup> Yaniv Nizry, “Stay tuned for a blog post…,” Twitter, accessed December 28 2021, published December 28, 2021, https://twitter.com/YNizry/status/1475916671953117184; “Apache Log4j Security Vulnerabilities,” Apache, accessed December 22, 2021, published December 17, 2021, https://logging.apache.org/log4j/2.x/security.html.</p> <p><sup>[8]</sup> Yaniv Nizry, “Stay tuned for a blog post…,” Twitter.</p> <p><sup>[9]</sup> Yaniv Nizry and Liad Levy, “CVE-2021-44832 - APACHE LOG4J 2.17.0 ARBITRARY CODE EXECUTION VIA JDCAPPENDER DATASOURCE ELEMENT,” Checkmarx Blog, accessed December 28, 2021, published December 28, 2021, https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/.</p>