Updated: Dec 18, 2021

Summary

On Dec. 9, 2021, a remote code execution (RCE) vulnerability CVE-2021-44228 in Apache log4j 2 was identified, and attackers are already actively exploiting this vulnerability. On Dec. 14, 2021, a second vulnerability CVE-2021-45046 was announced and fixed in log4j v2.16.0 and v2.12.2. A third vulnerability CVE-2021-450105 was announced and fixed in log4j v2.17.0.

Netsurion’s EventTracker v9 core code does not use the Apache log4j library. Our analysis shows no components of EventTracker v9.3 are affected by this vulnerability. 

Note: EventTracker v9.3 incorporates ElasticSearch v7.2.1. A scan of the installation will show Program Files\Elasticsearch-7.2.1\lib\log4j-core-2.11.1.jar, which may be considered vulnerable. However, this is not exploitable and does not require urgent remediation.

  • Elastic confirms in this announcement which says "Elasticsearch 6 and 7 are not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager"
  • The implementation of Elasticsearch is bound to localhost (127.0.0.1) only and is not directly accessible from another machine
  • We have tested and confirmed the above statement from Elastic

Netsurion’s proprietary BranchSDO CXD platform also does not use Apache log4j and is therefore unaffected. However, other third-party hardware managed by Netsurion may be potentially impacted. We are awaiting full analysis by each respective vendor and will address any potential vulnerabilities as they are identified.

More information:
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-45105

The Log4j Vulnerability Explained, How to Assess your Risk and Mitigation Steps

A.N. Ananth, President and Chief Strategy Officer, explains the background, context and consequences of this exploit, and the appropriate steps to defend against it.

Watch the Video

Update on Log4j Vulnerability - Dec 18, 2021

Updated information on mitigation techniques.

Watch the Video

Update on Log4j Vulnerability - Dec 17, 2021

Updated information on mitigation techniques.

Watch the Video

Detecting Log4j Vulnerability with Netsurion's Managed Threat Protection service

A.N. Ananth, President and Chief Strategy Officer, demonstrates how the Netsurion Managed Threat Protection service predicts, prevents, and detects attacks on vulnerable log4j instances in your monitored network.

Watch the Video

Background

Apache log4j 2 is an open-source Java-based logging framework that is leveraged within numerous Java applications. The Apache log4j library allows for developers to log various data within their application. In certain circumstances, the data being logged originates from user input. Should this user input contain special characters and be subsequently logged within the context of log4j, the Java method lookup will finally be called to execute the user-defined remote Java class in the Lightweight Directory Access Protocol (LDAP) server. This will in turn lead to RCE on the victim’s server that uses the vulnerable log4j 2 instance.

Public Proof of Concept (PoC) code was released, and subsequent investigation revealed that exploitation was easy to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct the system to download and execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems.

Affected version

Apache Log4j 2.x <= 2.15.0-rc1

Available updates

Apache has released 2.17.0 (for Java8 and up) which address CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

Conclusion

The CVE-2021-44228 vulnerability is still being actively investigated in order to properly identify the full scope severity. Given the information currently available, this vulnerability may have a high impact at present and in the near future. Most of the applications affected are widely used in corporate networks. Users are encouraged to take all necessary steps to ensure they are protected against this vulnerability.