Overview
The update involves (CVE-2021-45046) and (CVE-2021-45105) vulnerability information, scope of influence, product rules, official version and workaround.
On December 9 2021, NSFOCUS CRET has detected the disclosure of Apachelog4j Remote Code Execution Vulnerability (CVE-2021-44228). Due to the recursive parsing of some functions of apachelog4j2, unauthenticated attackers can execute arbitrary code on target servers by sending a specially constructed data request packet. The vulnerability PoC has been disclosed on the Internet and can be exploited with default configuration. As the vulnerability has a wide range of effects, NSFOCUS strongly recommends that users take measures to troubleshoot and prevent it as soon as possible.
On December 10, NSFOCUS CERT found that for ApacheLog4j2.15.0-rc1 version, only LDAP was patched and host whitelist was added, which can be bypassed in non-default configurations. Thus, ApacheLog4j2.15.0-rc2 (the same as the stable version 2.15.0) was officially released to handle urI exceptions.
On December 12, ApacheLog4j2.15.1-rc1 was officially released, which directly disabled the JNDI function. If the lookup function is required, it is recommended to upgrade to this version and manually set log4j2.formatMsgNoLookups to false as default.
On December 13, Apache Log4j 2.16.0-rc1 (the same as the stable version 2.16.0) was officially released, which completely removes the vulnerable Message lookups function based on Apache Log4j 2.15.1-rc1.
On December 14, the Apache Log4j deserialization Code Execution Vulnerability (CEV-2021-4104) is officially disclosed. When Apache Log4j 1.2.x is in a specific configuration, JMSAppender is vulnerable to deserialization of untrusted data. When attackers have the permission to modify Log4j configuration, they can execute JNDI requests with JMSAppender by the use of specific configuration, resulting in remote code execution.
On December 14, Apache Log4j 2.12.2-rc1 was released. JNDI and Lookup functions are disabled by default, and Java 7 is supported.
On December 15, the official announcement disclosed the DoS vulnerability (CVE-2021-45046) of Apache Log4j. When Log4j is configured to use non-default mode layout and context lookup (such as $${ctx: loginid}) or thread context mapping mode (%X、%mdc or %MDC), attackers use JNDI lookup mode to create malicious input data, resulting in a denial of service (DOS). As in Apache Log4j 2.15.0, the vulnerability fix method for CVE-2021-44228 is imperfect, it will be affected by this vulnerability in a specific configuration.
On December 17, the DoS vulnerability of Apache Log4j was updated to Code Execution Vulnerability (CVE-2021-45046). The fix to CVE-2021-44228 in Apache Log4j 2.15.0 is incomplete in some non-default configurations. When the log configuration uses a non-default mode layout with context lookup (such as$${ctx:loginId}), the attackers who input data by controlling thread context mapping (MDC) can use JNDI search mode to create malicious input data, so as to cause information disclosure, RCE (remote code execution) and LCE (local code execution) attacks, and the CVSS score increased from 3.7 to 9.0. On December 18, Apache Log4j 2.17.0 was officially released and the DoS vulnerability (CVE-2021-45105) in Apache Log4j was disclosed. As Log4j does not prevent uncontrolled recursion in self reference lookup, when the log configuration uses a non-default mode layout with context lookup (such as, $${ctx:loginId}), the attackers who input data by controlling thread context mapping (MDC) can create malicious input data containing recursive lookup, causing DoS attacks in which StackOverflowError kills the process.
Apache Log4j2 is an open source Java logging framework and widely used in middleware, development framework and web applications to record log information.
Screenshot of recurrence of CVE-2021-44228:
Screenshot of recurrence of Log4j 2.15.0-rc1 bypass of CVE-2021-44228:
Vulnerability details | Vulnerability PoC | Vulnerability EXP | Use out of office |
Published | Published | Published | exist |
Reference link:
https://logging.apache.org/log4j/2.x/security.html
https://www.mail-archive.com/announce@apache.org/msg06936.html
Scope of impact
Affected version
CVE-2021-44228:
- 2.0-beta9 <= Apache Log4j <= 2.12.1
- 2.13.0<= Apache Log4j <= 2.15.0-rc1
CVE-2021-45046:
- 2.0-beta9 <= Apache Log4j <= 2.12.1
- 2.13.0<= Apache Log4j <= 2.15.0-rc2(2.15.0 stable version)
Note:only log4j-core jar files are affected.
CVE-2021-4104:
- Apache Log4j =1.2.x
CVE-2021-45105:
- 2.0-alpha1 <= Apache Log4j <=2.16.0
Note:only log4j-core jar files are affected.
Scope of supply chain impact:
According to incomplete statistics, there are more than 170K open source components that directly and indirectly reference Log4j;
Reference of Layer 1-4 of Log4j: there are 6991 components that directly reference Log4j, more than 30K referencing the second layer, more than 90K referencing the third layer and more than 160K referencing the fourth layer. Over 173,200 open source components are affected by Log4j vulnerabilities totally.
Known affected applications and components:
- Most VMware products
- Jedis
- Logging
- Logstash
- HikariCP
- Hadoop Hive
- ElasticSearch
- Apache Solr
- Apache Struts2
- Apache Flink
- Apache Druid
- Apache Log4j SLF4J Binding
- spring-boot-strater-log4j2
- Camel :: Core
- JBoss Logging 3
- JUnit Vintage Engine
- WSO2 Carbon Kernel Core
Refer to the following links for more components:
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages?p=1
Unaffected version
- Apache Log4j 2.17.0-rc1(the same as the stable version 2.17.0)
- Apache Log4j 2.12.3-rc1(the same as the stable version 2.12.3)
Note: 2.12.3 version has not been released, please stay tuned.
Vulnerability Detection
Manual detection
Users can judge by checking whether org/apache/logging/log4j related path structure is contained after Java jar decompression. If there are relevant Java packages, the vulnerability is likely to exist.
If the program is packaged with Maven, you can check whether the pom.xml file of the project contains the following fields. If the version number is less than 2.15 0-rc2 (beta) or 2.15.0 (stable), the vulnerability exists.
If the program is packaged with gradle, you can check build.gradle Compile configuration file. If org.apache.logging.log4j related fields exists in the dependencies section, and the version number is less than 2.15.1, the application will be affected.
Attack troubleshooting
Attackers usually scan and detect by dnslog before exploitation. Common exploit methods can be checked by using the keywords “javax.naming.CommunicationException“, “javax.naming.NamingException: problem generating object using object factory” and “Error looking up JNDI resource” in the application system error log.
There may be “${jndi:}” in the data packet sent by the attacker. It is recommended to use NSFOCUS ISOP or Web Application Firewall for retrieval and troubleshooting.
Product detection
NSFOCUS’s Remote Security Assessment System (RSAS), Web Vulnerability Scanning System (WVSS), Industrial Control Systems Vulnerability Scanning System (ICSScan), Network Intrusion Detection System (IDS) and United Threat System (UTS) have the ability to scan and detect the vulnerability. Please upgrade to the latest version if you have deployed the above devices.
Upgraded package version number | Upgrade package download link | |
RSAS V6 System plug-in package | V6.0R02F01.2511 Information Technology Application Innovation V6.0R02F01.1704 | http://update.nsfocus.com/update/downloads/id/122278 Information Technology Application Innovation: http://update.nsfocus.com/update/downloads/id/122003 |
RSAS V6 Web plug-in package | V6.0R02F00.2409 | http://update.nsfocus.com/update/downloads/id/122201 |
WVSS V6 upgraded plug-in package | V6.0R03F00.235 | http://update.nsfocus.com/update/downloads/id/122203 |
ICSScan V6.0 system plug-in package | V6.0R00F04.2405 | http://update.nsfocus.com/update/downloads/id/122116 |
ICSScan V6.0 Web plug-in package | V6.0R00F04.2306 | http://update.nsfocus.com/update/downloads/id/122127 |
IDS | 5.6.11.26749 | http://update.nsfocus.com/update/downloads/id/122198 |
5.6.10.26749 | http://update.nsfocus.com/update/downloads/id/122197 | |
5.6.9.26749 | http://update.nsfocus.com/update/downloads/id/122196 | |
UTS | 5.6.10.26749 | http://update.nsfocus.com/update/downloads/id/122245 |
Apply for cloud detection
NSFOCUS provides users with remote detection services. Due to certain risks in the detection of this vulnerability, if relevant users need to apply for cloud detection, please contact the sales or project manager, or send an email to support@nsfocusglobal.COM with personal company email address, provide the list of assets to be scanned, the scanning time slotand contactinformation in the text, and we will contact you.
7x24h Customer service hotline: 400-818-6868 Ext 2
Vulnerability Protection
Official upgrade
At present, several fixed versions have been released for CVE-2021-44228. The update contents of different versions are slightly different. Affected users can choose corresponding upgraded versions according to needs. Download link:https://github.com/apache/logging-log4j2/tags
Apache Log4j Version number | Version update description |
Apache Log4j 2.15.0-rc1 | Fixed LDAP and added host whitelist;can be bypassed when manually opening Lookup, and will be affected by CVE-2021-45046 and CVE-2021-45105. |
Apache Log4j 2.15.0-rc2 | The handling of URI exceptions is enhanced to further fix the vulnerability. It will be affected by CVE-2021-45046 and CVE-2021-45105. |
Apache Log4j 2.15.0 stable version | The handling of URI exceptions is enhanced to further fix the vulnerability. It will be affected by CVE-2021-45046 and CVE-2021-45105. |
Apache Log4j 2.15.1-rc1 | The default configuration disables JNDI and Lookup functions. |
Apache Log4j 2.16.0-rc1 | The default configuration disables the JNDI function and Message Lookups function is completely removed. |
Apache Log4j 2.16.0 stable version | The default configuration disables the JNDI function and Message Lookups function is completely removed. |
Apache Log4j 2.17.0-rc1 | Limit the string search and parsing in log configuration on the basis of 2.16.0. |
Apache Log4j 2.17.2-rc1 stable version | Limit the string search and parsing in log configuration on the basis of 2.16.0. |
Apache Log4j 2.12.2-rc1 | The default configuration disables the JNDI function and Message Lookups function is completely removed. This version supports Java7. |
Apache Log4j 2.12.2 stable version | The default configuration disables the JNDI function and Message Lookups function is completely removed. This version supports Java7. |
Apache Log4j 2.12.3 stable version | Limit the string search and parsing in log configuration on the basis of 2.12.2. |
Note:
- In ApacheLog4j2.15.0-rc1 version, log4j2.formatMsgNoLookups is officially set to true as default. Without manually opening Lookup, Log4j2.15.0-rc1 version is not affected by the CVE-2021-44228 vulnerability.
- It is recommended that affected users upgrade all Apache log4j related applications to ApacheLog4j2.17.0-rc1 (Beta) or Apache Log4j 2.17.0 (stable).
- It is recommended to upgrade the stable version. Users of Java 7 can upgrade to Apache Log4j 2.12.3 for fix.
- To prevent accidents in the upgrade process, it is recommended to back up your data first.
- Upgrade the known affected applications and components in the supply chain: see the “Scope of supply chain impact” in “2. Scope of influence” above.
If users have been upgraded to Log4j 2.15.0-rc1 or Log4j 2.15.0-rc2, it will not be affected under the default configuration; Please confirm whether related businesses require Lookup function. If needed, please upgrade to Log4j 2.15.1-rc1.
Mitigation by security products
For the vulnerability, NSFOCUS has released the rule upgrade packages of Network Intrusion Protection System (IPS), Web Application Firewall (WAF) and the Next-GenerationFirewall (NF). Please upgrade the rules to strengthen the protection capability of security products. The version numbers of safety protection product rules are as follows:
Safety protection product | Version Numbers of Rule | Upgrade Package Download Link | Rule Number |
IPS | 5.6.11.26749 | http://update.nsfocus.com/update/downloads/id/122198 | 25475 |
5.6.10.26749 | http://update.nsfocus.com/update/downloads/id/122197 | ||
5.6.9.26749 | http://update.nsfocus.com/update/downloads/id/122196 | ||
WAF | 6.0.7.3.52185 | http://update.nsfocus.com/update/downloads/id/122193 | 27005085 |
6.0.7.0.52185 | http://update.nsfocus.com/update/downloads/id/122194 | ||
NF | 6.0.1.863 | http://update.nsfocus.com/update/downloads/id/122048 | 25476 |
6.0.2.863 | http://update.nsfocus.com/update/downloads/id/122049 | ||
6.0.60.863 | http://update.nsfocus.com/update/downloads/id/122045 | ||
6.0.70.863 | http://update.nsfocus.com/update/downloads/id/122047 |
Workaround
If users are unable to upgrade, the following measures can be taken for temporary protection:
- Add jvm parameter to start: -Dlog4j2.formatMsgNoLookups=true
- Add log4j2.component.properties configuration file under the classpath of the application. The file content is: log4j2 formatMsgNoLookups=true
- Set the system environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true.
- Remove the JndiLookup class file from the log4j-core package using the following command:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Note: when and only when Apache log4j >= version 2.10, any of the measures 1, 2 ,3 and 4 can be used for protection.
- Disable JNDI manually, for example, add “spring.jndi.ignore=true” in spring.properties.
- It is recommended to use JDK in 11.0.1, 8u191, 7u201, 6u211 or later versions, which can prevent RCE to a certain extent.
- Restrict the external access of affected applications to the Internet, and detect the access of dnslog related domain names at the boundary.
Some public dnslog platforms are as follows:
- ceye.io
- dnslog.link
- dnslog.cn
- dnslog.io
- tu4.org
- burpcollaborator.net
- s0x.cn
Apache Log4j JMSAppender Deserialization Code Execution Vulnerability (CVE-2021-4104)temporary protection:
- Comment out or delete JMSAppender in Log4j configuration.
- Use the following command to delete JMSAppender files from log4j jar package:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
- Restrict system users’ access to the application platform to prevent attackers from modifying the configuration of Log4j.
Apache Log4j Remote Code Execution Vulnerability (CVE-2021-45046) temporary protection:
Use the following command to delete JndiLookup files from log4j-core package:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Apache Log4j Dos Vulnerability (CVE-2021-45105) temporary protection:
- In PatternLayout of log configuration, replace context lookup such as ${ctx:loginId} or $${ctx:loginId} with thread context mapping mode (%X, %mdc or %MDC).
- Delete references to context lookups in the configuration, such as ${ctx:loginId} or $${ctx:loginId}.
Mitigation by security platforms
NSFOCUS enterprise security platform (ESP-H) and NSFOCUS intelligent security operation platform (ISOP) have the ability to detect this vulnerability. Users who have deployed those platforms can monitor the vulnerability on the platform.
Security Platform | Upgraded package / rule version number |
ESP-H(NSFOCUS Enterprise Security Platform) | Upgraded package with latest rules: attack_rule.1.0.0.1.1048648.dat |
ISOP(NSFOCUS Intelligent Security Operation Platform) | Upgrade the attack identification rule package to the latest version: attack_rule.1.0.0.1.1048648.dat |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.