12.17.2021

Critical – Vulnerability for Log4j, CVE-2021-44228, Log4Shell, Update #2

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 12/17/2021

Action Level - Critical

Description

MCNC would like to update you on the threat affecting the Java logging utility Log4j. This is being tracked as CVE-2021-44228. Apache documentation here. As new information becomes available, Apache has continued to update their recommendations, and some mitigations that were previously reported are now known to be ineffective. Additionally, the 2.15.0 release included some vulnerabilities, and 2.16.0 release is now the recommended version. 

Updated information

  • Previous updates included a mitigation by setting log4j2.formatMsgNoLookups to True.This is now known to be ineffective and is no longer advised.
  • Log4j 2.15.0 was found to still be vulnerable to several exploits and should be updated to 2.16.0
  • Due to the updated fix released in 2.16.0, vendors may be releasing updated patches for devices or software that have already been declared as fixed or not vulnerable. It is recommended to watch for relevant vendor updates even if you have previously determined your devices are not vulnerable.

Affected Devices

While no exhaustive list has been collected, the following page contains known tested software and its vulnerability status. Even if a given device isn’t on this page, assume it is vulnerable until proven otherwise.

Attack Vector

Any attacker with network access that can pass text to the given device can exploit this vulnerability. This could be an external bad actor interacting with public facing devices or an internal bad actor interacting with any device they have network access to.

Attack Feasibility

This vulnerability is actively being exploited.

Mitigations

  • Various A/V and WAF vendors are beginning to roll out detections of these attacks.
  • In any Log4j release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Ensure all devices are patched to their most current version.

Remediation

For Apache Log4j installations, update to release 2.16.0 (for Java 8) or 2.12.2 (for Java 7). If updating is not an option, follow the mitigation steps to remove the JndiLookup class.

The following GitHub page has direct links to various vendor updates.

Collected Resources

This site also includes additional information on impacted and non-impacted vendors as well.

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC