[Notice] Log4j Core Affected by Apache Log4j Vulnerability CVE-2021-44228

AhnLab recommends security updates for Apache Log4j vulnerability.

Apache Log4j Vulnerability Information

Vulnerability

  • Vulnerability (CVE-2021-44228, CVSS 10.0) that the attacker can remote code execute via a log message in Log4j 2.x version [1]
  • Vulnerability (CVE-2021-45046, CVSS 3.7) in Log4j 2.x version that allows the attacker to cause Denied of Service via a log message [2]
  • Vulnerability (CVE-2021-4104) that the attacker can remote code execute via a log message in Log4j 1.2.x version [3]

Versions Affected by Vulnerability

  • CVE-2021-44228 – Apache Log4j 2.0-beta9 to 2.14.1 (excluding Log4j 2.12.2)
  • CVE-2021-45046 – Apache Log4j 2.0-beta9 to 2.12 and 2.15.0
  • CVE-2021-4104 – Apache Log4j 1.2.x

(Note) CVE-2021-45046 occurs when using Context Lookup or Thread Context Lookup pattern for Pattern Layout in the Log4j 2.x version
(Note) CVE-2021-4104 occurs when using JMSAppender feature in the Log4j 1.2.x version​

An immediate update is required for CVE-2021-44228 vulnerability, which is most critical (CVSS 10.0). It is advised for the users to check if the systems that are being operated have vulnerable Log4j Core libraries. The list below shows the list of files for each Log4j-Core version that are affected by the CVE-2021-44228 vulnerability. The hash for each version may be different if the Log4j source code is manually built in the individual environment.

Reference [1] https://archive.apache.org/dist/logging/log4j/
Reference [2] https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/

NumberMD5 HashLog4j Core Version
1fbfa5f33ab4b29a6fdd52473ee7b834dlog4j-core-2.0.1.jar
28c0cf3eb047154a4f8e16daf5a209319log4j-core-2.0.2.jar
3152ecb3ce094ac5bc9ea39d6122e2814log4j-core-2.0-beta9.jar
4088df113ad249ab72bf19b7f00b863d5log4j-core-2.0-rc1.jar
5de8d01cc15fd0c74fea8bbb668e289f5log4j-core-2.0-rc2.jar
68d331544b2e7b20ad166debca2550d73log4j-core-2.1.jar
75e4bca5ed20b94ab19bb65836da93f96log4j-core-2.2.jar
8110ab3e3e4f3780921e8ee5dde3373adlog4j-core-2.3.jar
9f0c43adaca2afc71c6cc80f851b38818log4j-core-2.4.1.jar
100079c907230659968f0fc0e41a6abcf9log4j-core-2.4.jar
11dd0e3e0b404083ec69618aabb50b8ac0log4j-core-2.5.jar
1248f7f3cda53030a87e8c387d8d1e4265log4j-core-2.6.1.jar
13472c8e1fbaa0e61520e025c255b5d168log4j-core-2.6.2.jar
145523f144faef2bfca08a3ca8b2becd6alog4j-core-2.6.jar
152b63e0e5063fdaccf669a1e26384f3fdlog4j-core-2.7.jar
16547bb3ed2deb856d0e3bbd77c27b9625log4j-core-2.8.1.jar
174a5177a172764bda6f4472b94ba17ccblog4j-core-2.8.2.jar
18c6d233bc8e9cfe5da690059d27d9f88flog4j-core-2.8.jar
19fab646257f945b0b2a7ce3e1c3e3ce5flog4j-core-2.9.0.jar
20a27e67868b69b7223576d6e8511659ddlog4j-core-2.9.0.jar
21942f429eacb8015e18d8f59996cfbee6log4j-core-2.9.1.jar
22a3a6bc23ffc5615efcb637e9fd8be7eclog4j-core-2.9.1.jar
23dc99011f047e63dcc741b5ab68d116dblog4j-core-2.10.0.jar
240042e7de635dc1c6c0c5a1ebd2c1c416log4j-core-2.10.0.jar
252abec2ce665e0d529a3f28fffbbb2dd3log4j-core-2.11.0.jar
2690c12763ac2a49966dbb9a6d98be361dlog4j-core-2.11.0.jar
27b2242de0677be6515d6cefbf48e7e5d5log4j-core-2.11.1.jar
2871d3394226547d81d1bf6373a5b0e53alog4j-core-2.11.1.jar
29c8bd8b5c5aaaa07a3dcbf57de01c9266log4j-core-2.11.2.jar
308da9b75725fb3357cb9872adf7711f9flog4j-core-2.11.2.jar
315c527821d1084a7ef3e03d40144ff532log4j-core-2.12.0.jar
327943c49b634b404144557181f550a59clog4j-core-2.12.0.jar
330138ba1c191d5c754fd0e3c3a61c0307log4j-core-2.12.1.jar
34df949e7d73479ab717e5770814de0ae9log4j-core-2.12.1.jar
35b71a13fd5df251694fca116240003b22log4j-core-2.13.0.jar
362803991d51c98421be35d2db4ed3c2aclog4j-core-2.13.0.jar
37d365e48221414f93feef093a1bf607eflog4j-core-2.13.1.jar
385ff1dab00c278ab8c7d46aadc60b4074log4j-core-2.13.1.jar
390ac5b3e6e69ba7765683798e669a30b2log4j-core-2.13.2.jar
40b8e0d2779abbf38586b869f8b8e2eb46log4j-core-2.13.2.jar
41cc7d55ed69cc5fd34035b15c6edf79a0log4j-core-2.13.3.jar
4246e660d79456e6f751c22b94976f6ad5log4j-core-2.13.3.jar
43862c00b2e854f9c0f1e8d8409d23d899log4j-core-2.14.0.jar
4462ad26fbfb783183663ba5bfdbfb5acelog4j-core-2.14.0.jar
45948dda787593340a7af1a18e328b7b7flog4j-core-2.14.1.jar
463570d00d9ceb3ca645d6927f15c03a62log4j-core-2.14.1.jar

As Log4j is a common open-source logging library used to leave logs in the Java-based environment, it is used by the majority of users. Yet according to research by the ASEC analysis team on the client environment, there are still a number of users that use the vulnerable Log4j core without the security update despite the critical security vulnerability. The number includes servers that can be externally accessed as well as application or framework environments used by individuals.

  • C:\ghidra\Ghidra\Framework\Generic\lib\log4j-core-2.12.1.jar
  • C:\Users\<user name>\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-core\2.14.1\log4j-core-2.14.1.jar
  • C:\eGovFrame-3.6.0\maven\repository\org\apache\logging\log4j\log4j-core\2.1\log4j-core-2.1.jar
  • C:\Apache Software Foundation\Tomcat 8.5\webapps\ROOT_210928\WEB-INF\lib\log4j-core-2.8.2.jar
  • D:\<*****>_erp_server\<***>ERP_<*****>\webapps\ROOT\WEB-INF\lib\log4j-core-2.10.0.jar
  • C:\Users\USER\AppData\Local\MapTool\app\log4j-core-2.13.0.jar
  • C:\<user name>\Teamcenter13\tccs\third_party\TcSS\TcSS13.3\jars\log4j-core-2.14.0.jar
  • \\<Private Server>\..\..\..\…\<***>project\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\<***>project\WEB-INF\lib\log4j-core-2.11.2.jar
  • \Users\<user name>\eclipse-server\<*********>\WebContent\WEB-INF\lib\log4j-core-2.11.1.jar

Users should check whether the application or framework environments used include vulnerable Log4j Core libraries. If there are versions that are vulnerable, it is advised for the users to proceed with the security update.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments