Apache Log4j2 Library Vulnerability - What to know and tell your clients

On Thursday, December 9, 2021, a zero-day exploit was made public in the popular Java logging library Log4j. This is often used to create and store logging information from software, applications, hardware appliances etc. Impacted versions of Log4j are 2.0 - 2.14.1, the vulnerability is fixed in versions 2.15.0 and 2.16.0



How big is the risk? This is a particularly dangerous vulnerability because the exploitation can be conducted remotely, it requires no authentication, and it can give full access to the server/device being attacked. Furthermore, it is trivial to exploit (using only a single line of code), and proof of concept attacks are already published online.

This log library is widely used, and is found in a wide range of appliances, and software from companies such as Apache Struts and Tomcat, Solr, Linux distributions, Blackberry Symantec, Apple etc.

Who’s most affected? Unfortunately, there is no specific type of organization that is likely to be affected more than another, and it’s difficult for an individual business to see if they’re vulnerable. For example, while a customer might not have the vulnerability in their own version of the software they have written, it is entirely possible that appliances they use (such as VPN devices, cloud providers etc.) may have the vulnerability.

As this is an Apache library, it’s more likely to be running on Linux servers; however, it’s a Java vulnerability, and Java can run on multiple platforms. Therefore Windows, Linux and Apple servers could all be vulnerable. We suspect companies between $25m to $1Bn are the most at risk, due to the fact that they are likely to be running vulnerable software/devices. This vulnerability heightens ransomware risk and create an exposure for ransomware gangs to exploit this vulnerability to get initial access into a customer’s network install ransomware. What should you tell your clients? Key questions to ask your clients:

  • Are you aware of the recent log4j vulnerability aka CVE-2021-44228 or log4shell?

  • Have you assessed your exposure to it for internally developed applications?

  • Have you spoken to your hardware/software/cloud vendors and assessed whether their services are impacted?

  • Do you have a plan to deploy updates from outcomes of the questions above?

Apache has published a security advisory here to address this vulnerability and have released a patch to fix it (2.15.0 or 2.16.0). The Canadian Centre for Cyber Security has some very detailed information and advice: Active Exploitation of Apache Log4j Vulnerability - Update 3 - Canadian Centre for Cyber Security

 

Further Reading

(Please note these are external links and are not endorsed or vetted by BOXX):

Apache Log4j Advisory

CCCS AV21-626 Apache Security Advisory

CVE-2021-44228

CERT United Kingdom - Alert: Active scanning for Apache Log4j 2 vulnerability (CVE-2021-44228)

CERT New Zealand - Log4j RCE 0-day actively exploited

Florian Roth - log4j RCE Exploitation Detection (Grep and YARA)

Greynoise IP List - CVE-2021-44228 Apache Log4j RCE Attempts

GitHub community resource identifying vulnerable applications

NCSC-NL : Resource GitHub

CISA Apache Log4j Vulnerability Guidance