[Notice] Log4j Affected by Apache Log4j Vulnerability CVE-2021-44228

AhnLab recommends security updates for Apache Log4j vulnerability.

Apache Log4j Vulnerability Information

Vulnerability

  • Vulnerability (CVE-2021-44228, CVSS 10.0) that the attacker can remote code execute via a log message in Log4j 2.x version [1]
  • Vulnerability (CVE-2021-45046, CVSS 3.7) in Log4j 2.x version that allows the attacker to cause Denied of Service via a log message [2]
  • Vulnerability (CVE-2021-4104) that the attacker can remote code execute via a log message in Log4j 1.2.x version [3]

Versions Affected by Vulnerability

  • CVE-2021-44228 – Apache Log4j 2.0-beta9 to 2.14.1 (excluding Log4j 2.12.2)
  • CVE-2021-45046 – Apache Log4j 2.0-beta9 to 2.12 and 2.15.0
  • CVE-2021-4104 – Apache Log4j 1.2.x

(Note) CVE-2021-45046 occurs when using Context Lookup or Thread Context Lookup pattern for Pattern Layout in the Log4j 2.x version
(Note) CVE-2021-4104 occurs when using JMSAppender feature in the Log4j 1.2.x version​

An immediate update is required for CVE-2021-44228 vulnerability, which is most critical (CVSS 10.0). It is advised for the users to check if the systems that are being operated have vulnerable Log4j Core libraries. The list below shows the list of files for each Log4j-Core version that are affected by the CVE-2021-44228 vulnerability. The hash for each version may be different if the Log4j source code is manually built in the individual environment.

Reference [1] https://archive.apache.org/dist/logging/log4j/
Reference [2] https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/

Number MD5 Hash Log4j Core Version
1 fbfa5f33ab4b29a6fdd52473ee7b834d log4j-core-2.0.1.jar
2 8c0cf3eb047154a4f8e16daf5a209319 log4j-core-2.0.2.jar
3 152ecb3ce094ac5bc9ea39d6122e2814 log4j-core-2.0-beta9.jar
4 088df113ad249ab72bf19b7f00b863d5 log4j-core-2.0-rc1.jar
5 de8d01cc15fd0c74fea8bbb668e289f5 log4j-core-2.0-rc2.jar
6 8d331544b2e7b20ad166debca2550d73 log4j-core-2.1.jar
7 5e4bca5ed20b94ab19bb65836da93f96 log4j-core-2.2.jar
8 110ab3e3e4f3780921e8ee5dde3373ad log4j-core-2.3.jar
9 f0c43adaca2afc71c6cc80f851b38818 log4j-core-2.4.1.jar
10 0079c907230659968f0fc0e41a6abcf9 log4j-core-2.4.jar
11 dd0e3e0b404083ec69618aabb50b8ac0 log4j-core-2.5.jar
12 48f7f3cda53030a87e8c387d8d1e4265 log4j-core-2.6.1.jar
13 472c8e1fbaa0e61520e025c255b5d168 log4j-core-2.6.2.jar
14 5523f144faef2bfca08a3ca8b2becd6a log4j-core-2.6.jar
15 2b63e0e5063fdaccf669a1e26384f3fd log4j-core-2.7.jar
16 547bb3ed2deb856d0e3bbd77c27b9625 log4j-core-2.8.1.jar
17 4a5177a172764bda6f4472b94ba17ccb log4j-core-2.8.2.jar
18 c6d233bc8e9cfe5da690059d27d9f88f log4j-core-2.8.jar
19 fab646257f945b0b2a7ce3e1c3e3ce5f log4j-core-2.9.0.jar
20 a27e67868b69b7223576d6e8511659dd log4j-core-2.9.0.jar
21 942f429eacb8015e18d8f59996cfbee6 log4j-core-2.9.1.jar
22 a3a6bc23ffc5615efcb637e9fd8be7ec log4j-core-2.9.1.jar
23 dc99011f047e63dcc741b5ab68d116db log4j-core-2.10.0.jar
24 0042e7de635dc1c6c0c5a1ebd2c1c416 log4j-core-2.10.0.jar
25 2abec2ce665e0d529a3f28fffbbb2dd3 log4j-core-2.11.0.jar
26 90c12763ac2a49966dbb9a6d98be361d log4j-core-2.11.0.jar
27 b2242de0677be6515d6cefbf48e7e5d5 log4j-core-2.11.1.jar
28 71d3394226547d81d1bf6373a5b0e53a log4j-core-2.11.1.jar
29 c8bd8b5c5aaaa07a3dcbf57de01c9266 log4j-core-2.11.2.jar
30 8da9b75725fb3357cb9872adf7711f9f log4j-core-2.11.2.jar
31 5c527821d1084a7ef3e03d40144ff532 log4j-core-2.12.0.jar
32 7943c49b634b404144557181f550a59c log4j-core-2.12.0.jar
33 0138ba1c191d5c754fd0e3c3a61c0307 log4j-core-2.12.1.jar
34 df949e7d73479ab717e5770814de0ae9 log4j-core-2.12.1.jar
35 b71a13fd5df251694fca116240003b22 log4j-core-2.13.0.jar
36 2803991d51c98421be35d2db4ed3c2ac log4j-core-2.13.0.jar
37 d365e48221414f93feef093a1bf607ef log4j-core-2.13.1.jar
38 5ff1dab00c278ab8c7d46aadc60b4074 log4j-core-2.13.1.jar
39 0ac5b3e6e69ba7765683798e669a30b2 log4j-core-2.13.2.jar
40 b8e0d2779abbf38586b869f8b8e2eb46 log4j-core-2.13.2.jar
41 cc7d55ed69cc5fd34035b15c6edf79a0 log4j-core-2.13.3.jar
42 46e660d79456e6f751c22b94976f6ad5 log4j-core-2.13.3.jar
43 862c00b2e854f9c0f1e8d8409d23d899 log4j-core-2.14.0.jar
44 62ad26fbfb783183663ba5bfdbfb5ace log4j-core-2.14.0.jar
45 948dda787593340a7af1a18e328b7b7f log4j-core-2.14.1.jar
46 3570d00d9ceb3ca645d6927f15c03a62 log4j-core-2.14.1.jar

As Log4j is a common open-source logging library used to leave logs in the Java-based environment, it is used by the majority of users. Yet according to research by the ASEC analysis team on the client environment, there are still a number of users that use the vulnerable Log4j core without the security update despite the critical security vulnerability. The number includes servers that can be externally accessed as well as application or framework environments used by individuals.

  • C:\ghidra\Ghidra\Framework\Generic\lib\log4j-core-2.12.1.jar
  • C:\Users\<user name>\AppData\Roaming\.minecraft\libraries\org\apache\logging\log4j\log4j-core\2.14.1\log4j-core-2.14.1.jar
  • C:\eGovFrame-3.6.0\maven\repository\org\apache\logging\log4j\log4j-core\2.1\log4j-core-2.1.jar
  • C:\Apache Software Foundation\Tomcat 8.5\webapps\ROOT_210928\WEB-INF\lib\log4j-core-2.8.2.jar
  • D:\<*****>_erp_server\<***>ERP_<*****>\webapps\ROOT\WEB-INF\lib\log4j-core-2.10.0.jar
  • C:\Users\USER\AppData\Local\MapTool\app\log4j-core-2.13.0.jar
  • C:\<user name>\Teamcenter13\tccs\third_party\TcSS\TcSS13.3\jars\log4j-core-2.14.0.jar
  • \\<Private Server>\..\..\..\…\<***>project\workspace\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\wtpwebapps\<***>project\WEB-INF\lib\log4j-core-2.11.2.jar
  • \Users\<user name>\eclipse-server\<*********>\WebContent\WEB-INF\lib\log4j-core-2.11.1.jar

Users should check whether the application or framework environments used include vulnerable Log4j Core libraries. If there are versions that are vulnerable, it is advised for the users to proceed with the security update.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post [Notice] Log4j Affected by Apache Log4j Vulnerability CVE-2021-44228 appeared first on ASEC BLOG.

Article Link: [Notice] Log4j Affected by Apache Log4j Vulnerability CVE-2021-44228 - ASEC BLOG