Severe Log4Shell Vulnerability in Log4j 2: A Popular Java Logging System
Note: This blog relates to an ongoing incident. Facts, recommendations, and impacts may change as more information becomes available.
Mitigation updated with the latest fixed version (2.17) Monday 20 Dec at 16:30 EET
Summary
The log4j vulnerability has been a rude awakening to many small and large organizations, and IT administrator teams are working hard to patch the newly-discovered vulnerability known as Log4Shell. The magnitude of this discovery is significant, as it affects millions of devices across the internet. The vulnerability is found in Log4j, which is a public computer software library used by Java-based apps and online services to log error messages to a log file. It is a programming bug that anyone outside the system can exploit.
What makes this an urgent matter to tackle is the fact that the exploitation of the vulnerability is extremely simple, and if a server is vulnerable, it has already likely been compromised at this point. The vulnerability allows a potential attacker to execute remote code on vulnerable servers with any input that is logged by Log4j, such as HTTP User-Agent, URL, chat message, hostname, to name just a few examples. A troubling fact is that many organizations might not even be aware that they are using this Java software with the log4j library. This will most likely make the discovery process longer, and it will take some time to install the patches. Fortunately, a fixed and secure version of the library is available for vendors to implement in affected products.
Our dedicated CDC teams, including Threat Intelligence, SOC, and DFIR, are working continuously to monitor the situation and report on new discoveries as they emerge. So far, dozens of products are known to be vulnerable to the flaw throughout the world and the Nordics. A comprehensive, regularly updated listing is available here.
At this point, it is unknown how many organizations in total are affected by this vulnerability, but it is clear that the number is very high. This vulnerability has been internationally regarded as one of the worst ones since Heartbleed and ShellShock and, for example, in Canada, thousands of government websites have been shut down in order to prevent the exploitation of the bug.
In the Nordics, the vulnerability has not yet reached the news headlines as prominently as it has elsewhere, so it is difficult to say how big of an impact the vulnerability will have on the market area. As time passes, however, it is likely that the vulnerability will be exploited at an increasing pace wherever Log4j may be found.
Mitigation (updated 20 Dec at 16:30 EET)
- Versions 2.0 - 2.16 are affected, the vulnerability has been fixed in 2.17. In order to mitigate the issue, we recommend patching the Log4j.
- The recommended way is to upgrade to 2.17. which removes the support for message lookup patterns and disables JNDI functionality by default (CVE-2021-45046). It is also possible to remove the JndiLookup class from the classpath according to Apache. It has turned out that the configuration flag mitigation "log4j2.formatMsgNoLookups=True" is not enough to protect against this vulnerability. Also, the fix in version 2.15.0 against CVE-2021-44228 was incomplete.
- Version 1.2 is affected by a similar type of remote code execution vulnerability (CVE-2021-4104) when JMSAppender is used. The solution for this is to comment out or remove JMSAppender in the log4j configuration and/or remote the JMSAppender class from the classpath. JMSAppender is not the default and must be purposefully taken into use.
- For more detailed information on the Log4j vulnerability, you can find a relatively comprehensive list of vulnerable products available here: https://github.com/NCSC-NL/log4shell/tree/main/software
Nixu CDC Assistance
In case your organization is in need of assistance with this matter, our Threat Intelligence, SOC, and DFIR teams are available to assist.
Available are:
- Digital Forensics & Incident Response (DFIR): 24/7 service of handling cybersecurity incidents and digital forensics investigations ensures that you can react fast and get back to normal as quickly as possible.
Our highly skilled professionals will efficiently resolve any cyber incident you might encounter using various malware analysis methods, reverse engineering, memory and file forensics, and combining the data with threat intelligence information.
- Cyber Defense Center (CDC): Where our cybersecurity specialists and systems monitor, contain, and remediate security threats on your behalf 24/7. We protect your core processes and people, and provide you with ability to detect early and react quickly.
- Threat Intelligence as a Service: Providing Actionable Intelligence, Now. Be notified of the latest vulnerabilities, blindspots, and flaws that may affect you, so that you can take timely action.
For additional information on the Nixu CDC service and a contact form, have a look at the Nixu Cyber Defence offering page.
If you are a Nixu customer and you have questions regarding the case, please contact your dedicated Nixu contact person. Alternatively, you can send a message to nixu.communications@nixu.com from where we will direct your message to the correct recipient.