Advisory - Apache Log4j Vulnerability

Background

A vulnerability was discovered in versions of Log4j, an open-source java logging library widely used by many applications and integrated as a dependency in many services. The logging library developed by the Apache Foundation is used by a large percentage of Java programs developed in the last decade and, by extension, a substantial number of organisations as Java is one of the top programming languages used by businesses of all sizes.

Log4j is a library used by developers and programmers to take notes about what’s happening on applications and servers. Organisations worldwide are grappling with evaluating the scope and impact of the exposure as its not apparent which applications and systems use Log4j.

The vulnerability, CVE-2021-44228, also known as Log4Shell, was evaluated to have a severity score rating of 10.0, which translates to a Critical Vulnerability.

Impact of the Vulnerability

Log4Shell allows attackers to gain access into systems, exfiltrate sensitive data, infect networks with malicious software and gain full control of systems through a process called Remote Code Execution (RCE). There is little to no expertise required to exploit the vulnerability found in this library, making Log4Shell a very severe computer vulnerability.

Technical Details

Log4j, the logging library, allows logged messages to contain format strings that reference outside information through the Java Naming and Directory Interface (JNDI), allowing information to be remotely retrieved across various protocols, including Lightweight Directory Access Protocol (LDAP). JDNI executes Java classes that an LDAP server references, and since the contents of log messages often contain user-controlled data, attackers can insert JNDI references point to LDAP servers they control that are ready to dish out malicious Java classes that perform any action the attacker wants.

3 Vulnerabilities were discovered and reported in Log4j in December 2021:

  • CVE-2021-44228 (Log4Shell vulnerability): Affects Apache Log4j versions 2.0-beta9 to 2.14.1 and allows Remote Code Execution (RCE)
  • CVE-2021-45046: Affects all versions from 2.0 beta9 to 2.15.0
  • CVE-2021-45105: Affects Log4j versions from 2.0-beta9 to 2.16.0

Recommendations

  • Check your infrastructure to confirm the use of Log4j in your environment.
  • Patch affected systems since patching is the primary recommended mitigation step. Apache has released several patches after the discovery of the vulnerability.
  • User of Java 8 (or later) should upgrade to release 2.17.0
  • Patching of systems should be prioritised starting with critical systems, internet-facing systems, and networked servers.
  • Organisations with third-party suppliers and software vendors should confirm the usage and up-to-date patching of affected systems. /li>
  • Users OT Networks should identify high-risk systems and proactively patch them. Systems should be isolated to secure zones and mitigation controls implemented where patching is not feasible.
  • Conduct a security review to determine if there have been any security incidents.

Further information is available at: