Critical – Vulnerability for Log4j, CVE-2021-44228, Log4Shell
Date of Notice: 12/10/2021
Action Level - Critical
Description
As part of our Edgeguard service, MCNC would like to make you aware of a new threat affecting the Java logging utility Log4j. This is being tracked as CVE-2021-44228. Apache documentation here.
In all Log4j versions >= 2.0-beta9 and <= 2.14.1 JNDI features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Due to the widespread usage of this utility, it is safe to assume that most devices and services are affected. This was originally discovered as a Minecraft exploit but also affects gaming services such as Steam, websites like Apple, Amazon, and Twitter, as well as services such as Apache Struts, Apache Druid, and ElasticSearch.
Affected Devices
- There is no finite list of affected devices. Verify what network connected devices and services you have and monitor those vendors for further security alerts and possible patches.
- While this vulnerability affects Log4j, it is possible that a given vendor implementation may not be vulnerable.
Attack Vector
Any attacker with network access that can pass text to the given device could potentially exploit this vulnerability.
Attack Feasibility
Proof of concepts and live testing are occurring. Security researchers are reporting attacks on their honeypots.
Mitigations
The only way to mitigate a device that you have determined to be vulnerable is to remove network access until patches become available.
If you are maintaining your own Log4j service you can use the following:
- Adding -Dlog4j2.formatMsgNoLookups=true to your JVM args
- log4j2.formatMsgNoLookups=True
Remediation
Monitor vendor web pages and patch immediately when possible.