[Announcement] New Log4j Vulnerability (CVE-2021-45105) – Log4j 2.17.0

CVE-2021-45105 vulnerability that operates in Log4j 2.16.0 version was additionally revealed on December 18th, 2021 (CVSS 7.5).

1. Vulnerable Versions


Log4j 2.0-beta9 to 2.16.0

2. Vulnerability Exploitation Technique

Vulnerability exploitations may occur if applications that use Log4j are enabled with the layout pattern and thread context features. The following shows the vulnerable environment and the technique for exploiting it.

1) Vulnerable Environment

[Settings]


Applications are enabled to lookup thread contexts in the layout pattern

[Part of log4j2.properties settings]

appender.console.type = Console
appender.console.name = console
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = !${ctx:loginId}! %m%n
rootLogger.level = ALL
rootLogger.appenderRef.file.ref = console


[Source Code]

Saves the value of thread contexts referenced from layout pattern as externally input values  

Part of application source code

ThreadContext.put(“test”, “${::-${ctx:loginId}}”);
logger.error(“Test”);

2) Vulnerability Exploitation

When the attacker sends a request that includes a certain string in the X-Api-Version header to the server, the process can be terminated as the Stack OverFlow error occurs in Log4j while saving logs. 
# curl server  -H ‘X-Api-Version: ${${::-${::-$${::-$}}}}’

3. Impact of Vulnerability

While there may be service failures due to Log4j’s DoS (Denial of Service) vulnerability, the vulnerability exploitations become only possible when the environment explained in the exploitation technique is configured. 
Also, vulnerability is not affected if only log4j-api-*.jar file is used, not log4j-core-*.jar.
 

4. Vulnerability Patch

The Log4j 2.17.0 patch was provided on December 18th, 2021.

Log4j 2.17.0 or above (Java 8 or above)
https://logging.apache.org/log4j/2.x/download.html

* Java 7 version: To be released

5. Mitigating Vulnerability


If the vulnerability patch cannot be applied, the temporary measure shown below should be executed. 
– Remove ${ctx:loginId} or $${ctx:loginId} from PatternLayout or change it to (%X, %mdc, or %MDC).


6. Reference Information

[1] CVE-2021-45105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

[2] Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.html

[3]  Log4j_dos_CVE-2021-45105
https://github.com/cckuailong/Log4j_dos_CVE-2021-45105

[4] Denial of Service (DoS) Affecting org.apache.logging.log4j:log4j-core package, versions [2.0-alpha1,2.17.0)
https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments