ApacheLog4j Remote Code Execution Vulnerability (CVE-2021-44228) Threat Alert

ApacheLog4j Remote Code Execution Vulnerability (CVE-2021-44228) Threat Alert

December 15, 2021 | Jie Ji

Overview

On December 9 2021, NSFOCUS CRET has detected the disclosure of Apachelog4j Remote Code Execution Vulnerability (CVE-2021-44228). Due to the recursive parsing of some functions of apachelog4j2, unauthenticated attackers can execute arbitrary code on target servers by sending a specially constructed data request packet. The vulnerability PoC has been disclosed on the Internet and can be exploited with default configuration. As the vulnerability has a wide range of effects, NSFOCUS strongly recommends that users take measures to troubleshoot and prevent it as soon as possible.

On December 10, NSFOCUS CERT found that for ApacheLog4j2.15.0-rc1 version, only LDAP was patched and host whitelist was added, which can be bypassed in non-default configurations. Thus, ApacheLog4j2.15.0-rc2 (the same as the stable version 2.15.0) was officially released to handle urI exceptions.

On December 12, ApacheLog4j2.15.1-rc1 was officially released, which directly disabled the JNDI function. If the lookup function is required, it is recommended to upgrade to this version and manually set log4j2.formatMsgNoLookups to false as default.

On December 13, Apache Log4j 2.16.0-rc1 (the same as the stable version 2.16.0) was officially released, which completely removes the vulnerable Message lookups function based on Apache Log4j 2.15.1-rc1.

On December 14, Apache Log4j 2.12.2-rc1 was released. JNDI and Lookup functions are disabled by default, and Java 7 is supported.

Apache Log4j2 is an open source Java logging framework and widely used in middleware, development framework and web applications to record log information.

Screenshot of recurrence of vulnerability:

Screenshot of recurrence of Log4j 2.15.0-rc1 bypass:

Vulnerability detailsVulnerability PoCVulnerability EXPUse out of office
PublishedPublishedPublishedexist

Reference link: https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3201?filter=allissues

Scope of impact

Affected version

  • 2.0-beta9 <= Apache Log4j <= 2.15.0-rc1(CVE-2021-44228)
  • Apache Log4j =1.2(CVE-2021-4104)

Note:

  1. In Apache Log4j 1.2, there is a JMSAppender deserialization Code Execution Vulnerability (CVE-2021-4104) in a specific configuration. When attackers have permission to modify Log4j configuration, JMSAppender is vulnerable to deserialization of untrusted data. Attackers can execute JNDI requests using JMSAppender in the specific configuration, causing remote code execution. Reference link: https://www.mail-archive.com/announce@apache.org/msg06936.html

Mitigation measures:

1) Comment out or delete JMSAppender in the Log4j configuration.

2) Use the following command to delete JMSAppender class file from the Log4j jar package:

zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class

3) Restrict system users’ access to the application platform to prevent attackers from modifying Log4j configuration.

  1. In ApacheLog4j2.15.0-rc1 version, log4j2.formatMsgNoLookups is officially set to true as default. Under this default configuration, Log4j2.15.0-rc1 version is not affected by the vulnerability.

Scope of supply chain impact

According to unauthorized statistics, there are more than 170K open source components that directly and indirectly reference Log4j;

Reference of Layer 1-4 of Log4j: there are 6960 components that directly reference Log4j, more than 30K referencing the second layer, more than 90K referencing the third layer and more than 160K referencing the fourth layer. Over 173,200 open source components are affected by Log4j vulnerabilities totally.

Known affected applications and components:

  • Most VMware products
  • Jedis
  • Logging
  • Logstash
  • HikariCP
  • Hadoop Hive
  • ElasticSearch
  • Apache Solr
  • Apache Struts2
  • Apache Flink
  • Apache Druid
  • Apache Log4j SLF4J  Binding
  • spring-boot-strater-log4j2
  • Camel :: Core
  • JBoss Logging 3
  • JUnit Vintage Engine
  • WSO2 Carbon Kernel Core

Refer to the following links for more components:

https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/usages?p=1

Unaffected version

  • Apache Log4j 2.15.0-rc2 (the same as the stable version 2.15.0)
  • Apache Log4j 2.15.1-rc1
  • Apache Log4j 2.16.0-rc1 (the same as the stable version 2.16.0)
  • Apache Log4j 2.12.2-rc1 (Java 7 supported)

Vulnerability Detection

Manual detection

Users can judge by checking whether org/apache/logging/log4j related path structure is contained after Java jar decompression. If there are relevant Java packages, the vulnerability is likely to exist.

If the program is packaged with Maven, you can check whether the pom.xml file of the project contains the following fields. If the version number is less than 2.15 0-rc2 (beta) or 2.15.0 (stable), the vulnerability exists.

If the program is packaged with gradle, you can check build.gradle Compile configuration file. If org.apache.logging.log4j related fields exists in the dependencies section, and the version number is less than 2.15 0-rc2 (beta) or 2.15.0 (stable), the vulnerability exists.

Attack troubleshooting

Attackers usually scan and detect by dnslog before exploitation. Common exploit methods can be checked by using the keywords “javax.naming.CommunicationException“, “javax.naming.NamingException: problem generating object using object factory” and “Error looking up JNDI resource” in the application system error log.

There may be “${jndi:}” in the data packet sent by the attacker. It is recommended to use NSFOCUS ISOP or Web Application Firewall for retrieval and troubleshooting.

Product detection

NSFOCUS’s Remote Security Assessment System (RSAS), Web Vulnerability Scanning System (WVSS), Industrial Control Systems Vulnerability Scanning System (ICSScan), Network Intrusion Detection System (IDS) and United Threat System (UTS) have the ability to scan and detect the vulnerability. Please upgrade to the latest version if you have deployed the above devices.

 Upgraded package version numberUpgrade package download link
RSAS V6 System plug-in packageV6.0R02F01.2509  http://update.nsfocus.com/update/downloads/id/121999  
RSAS V6 Web plug-in packageV6.0R02F00.2408http://update.nsfocus.com/update/downloads/id/122079
WVSS V6 upgraded plug-in packageV6.0R03F00.234http://update.nsfocus.com/update/downloads/id/122081
ICSScan V6.0 system plug-in packageV6.0R00F04.2405http://update.nsfocus.com/update/downloads/id/122116
ICSScan V6.0  Web plug-in packageV6.0R00F04.2306http://update.nsfocus.com/update/downloads/id/122127
IDS5.6.11.26706http://update.nsfocus.com/update/downloads/id/122010
5.6.10.26706http://update.nsfocus.com/update/downloads/id/122009
5.6.9.26706 http://update.nsfocus.com/update/downloads/id/122008
UTS5.6.10.26706http://update.nsfocus.com/update/downloads/id/122103

Apply for cloud detection

NSFOCUS provides users with remote detection services. Due to certain risks in the detection of this vulnerability, if relevant users need to apply for cloud detection, please contact the sales or project manager, or send an email to support@nsfocusglobal.COM with personal company email address, provide the list of assets to be scanned, the scanning time slotand contactinformation in the text, and we will contact you.

7x24h Customer service hotline: 400-818-6868 Ext 2

Vulnerability Protection

Official upgrade

At present, several fixed versions have been released for CVE-2021-44228. The update contents of different versions are slightly different. Affected users can choose corresponding upgraded versions according to needs. Download link:https://github.com/apache/logging-log4j2/tags

Apache Log4j Version number Version update description
Apache Log4j 2.15.0-rc1Fixed LDAP and added host whitelist;can be bypassed when manually opening Lookup
Apache Log4j 2.15.0-rc2The handling of URI exceptions is enhanced to further fix the vulnerability.
Apache Log4j 2.15.0 stable versionThe handling of URI exceptions is enhanced to further fix the vulnerability.
Apache Log4j 2.15.1-rc1The default configuration disables JNDI and Lookup functions.
Apache Log4j 2.16.0-rc1The default configuration disables the JNDI function and completely removes the support for the vulnerable Message Lookups function.
Apache Log4j 2.16.0 stable versionThe default configuration disables the JNDI function and completely removes the support for the vulnerable Message Lookups function.
Apache Log4j 2.12.2-rc1The default configuration disables JNDI and Lookup functions, and this version supports Java 7.

Note:

  1. In ApacheLog4j2.15.0-rc1 version, log4j2.formatMsgNoLookups is officially set to true as default. Without manually opening Lookup, Log4j2.15.0-rc1 version is not affected by the vulnerability.
  2. It is recommended that affected users upgrade all Apache log4j related applications to ApacheLog4j2.15.0-rc2 (Beta) or Apache Log4j 2.15.0 (Stable) and above version. (the stable version is recommended)
  3. Please confirm whether relevant businesses require the Lookup function. If required, please manually set log4j2.formatMsgNoLookups to false as default after upgrading to ApacheLog4j2.15.1-rc1.
  4. To prevent accidents in the upgrade process, it is recommended to back up your data first.
  5. Upgrade the known affected applications and components in the supply chain: see the “Scope of supply chain impact” in “2. Scope of influence” above.

If users have been upgraded to Log4j 2.15.0-rc1 or Log4j 2.15.0-rc2, it will not be affected under the default configuration; Please confirm whether related businesses require Lookup function. If needed, please upgrade to Log4j 2.15.1-rc1.

Mitigation by security products

For the vulnerability, NSFOCUS has released the rule upgrade packages of Network Intrusion Protection System (IPS), Web Application Firewall (WAF) and the Next-GenerationFirewall (NF). Please upgrade the rules to strengthen the protection capability of security products. The version numbers of safety protection product rules are as follows:

Safety protection productVersion Numbers of RuleUpgrade Package Download LinkRule Number
IPS5.6.11.26706http://update.nsfocus.com/update/downloads/id/12201025475
5.6.10.26706 http://update.nsfocus.com/update/downloads/id/12209
5.6.9.26706 http://update.nsfocus.com/update/downloads/id/122008
WAF6.0.7.3.50737http://update.nsfocus.com/update/listWafV67Detail/v/rule607027005085
6.0.7.0.49847http://update.nsfocus.com/update/listWafV67Detail/v/all
NF6.0.1.862http://update.nsfocus.com/update/downloads/id/12197525476
6.0.2.862 http://update.nsfocus.com/update/downloads/id/121983
6.0.60.862 http://update.nsfocus.com/update/downloads/id/121972
6.0.70.862 http://update.nsfocus.com/update/downloads/id/121973

Workaround

If users are unable to upgrade, the following measures can be taken for temporary protection:

  1. Add jvm parameter to start: -Dlog4j2.formatMsgNoLookups=true
  1. Add log4j2.component.properties configuration file under the classpath of the application. The file content is: log4j2 formatMsgNoLookups=true
  1. Set the system environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true.
  2. Remove the JndiLookup class file from the log4j-core package using the following command:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note: when and only when Apache log4j >= version 2.10, any of the measures 1, 2 ,3 and 4 can be used for protection.

  1. Disable JNDI manually, for example, add “spring.jndi.ignore=true” in spring.properties.
  2. It is recommended to use JDK in 11.0.1, 8u191, 7u201, 6u211 or later versions, which can prevent RCE to a certain extent.
  3. Restrict the external access of affected applications to the Internet, and detect the access of dnslog related domain names at the boundary.

Some public dnslog platforms are as follows:

  • ceye.io
  • dnslog.link
  • dnslog.cn
  • dnslog.io
  • tu4.org
  • burpcollaborator.net
  • s0x.cn

Mitigation by security platforms

NSFOCUS enterprise security platform (ESP-H) and NSFOCUS intelligent security operation platform (ISOP) have the ability to detect this vulnerability. Users who have deployed those platforms can monitor the vulnerability on the platform.

Security PlatformUpgraded package / rule version number
ESP-H(NSFOCUS Enterprise Security Platform)Upgraded package with latest rules: attack_rule.1.0.0.1.1048648.dat
ISOP(NSFOCUS Intelligent Security Operation Platform)Upgrade the attack identification rule package to the latest version: attack_rule.1.0.0.1.1048648.dat

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.