15/12/2021 – Update
As our threat researchers continue to monitor the Log4jJ vulnerabilities new information and guidance will be surfaced, including the new CVE, CVE-2021-45046. This CVE deals with the remaining security vulnerabilities that were not patched in Log4J 2.15.0 to address CVE-2021-44228. CVE-2021-45046 has a CVSS base score of 3.7, which is less serious than the CVSS score of 10 in the original vulnerability CVE-2021-44228, however, there is still a risk of denial of service from this latest vulnerability.
The affected Apache Log4J software is used by many software vendors in their products, and by extension many applications may require updating in order patch the Log4J vulnerability. The security community is still working to identify all affected products. The Cybersecurity & Infrastructure Security Agency (CISA) are collating a list of known affected vendors and software which can be found here GitHub – cisagov/log4j-affected-db. This list is being constantly updated.
The latest advice for mitigation steps from the Transparity SOC is provided from the most up-to-date information from Apache, which can be found here Log4j – Apache Log4j Security Vulnerabilities.
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
Mitigation for CVE-2021-45046 and CVE-2021-44228
Transparity’s advice is to lead with patching:
If you are currently running Java 7, an impending patch, 2.12.2 is being worked on and should be available soon. However, the Transparity SOC would recommend upgrading to Java 8 where possible.
(Log4j – Apache Log4j Security Vulnerabilities)
Apache do advise as a last resort, where patching is not possible, that the JndiLookup class is removed from classpaths where possible:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
| Transparity Managed Security Service customers are being proactively reviewed and remediated as information on this vulnerability is released and additional mitigations are identified. All other customers should contact the Transparity Service Desk or their Account Manager if they require assistance or advice on remedial steps in order that we can work with you to define your requirements and a suitable action plan.
On the 9th of December 2021, a remote code execution (RCE) vulnerability in Apache logLj 2 was identified as being exploited in the wild. The vulnerability tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1. Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications.
Because the discovery of this exploit is so recent, many servers – both on-premises and within Cloud environments – have not been patched yet. We highly recommend that organisations upgrade to the latest version (2.150-rc2) of Apache logL4j 2 for all systems. CVE-2021-44228 is considered a critical flaw, and it has a base CVSS score of 10 – the highest possible severity rating.
Some of the software currently known to be affected:
Microsoft have posted an article with a workaround:
Basic Update Steps:
The below steps are simplified and intended as a generic guide, each application may vary, please ensure backups are taken prior to updating where testing has not been carried out.