Executive Summary

Summary
Title Apache Log4j allows insecure JNDI lookups
Informations
Name VU#930724 First vendor Publication 2021-12-15
Vendor VU-CERT Last vendor Modification 2022-02-07
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Overall CVSS Score 10
Base Score 10 Environmental Score 10
impact SubScore 6 Temporal Score 10
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Changed Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Overview

Apache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j.

CISA has published Apache Log4j Vulnerability Guidance and provides a Software List.

Description

The default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS.

This vulnerability note includes information about the following related vulnerabilities.

  • CVE-2021-44228 tracks the initial JNDI injection and RCE vulnerability in Log4j 2. This vulnerability poses considerabily more risk than the others.

  • CVE-2021-4104 tracks a very similar vulnerability that affects Log4j 1 if JMSAppender and malicious connections have been configured.

  • CVE-2021-45046 tracks an incomplete fix for CVE-2021-44228 affecting Log4j 2.15.0 when an attacker has "...control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern."

We provide tools to scan for vulnerable jar files.

More information is available from the Apache Log4j Security Vulnerabilities page, including these highlights.

Certain conditions must be met to make Log4j 1.x vulnerable:

Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

Log4j API code alone is not affected:

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Impact

A remote, unauthenticated attacker with the ability to log specially crafted messages can cause Log4j to connect to a service controlled by the attacker to download and execute arbitrary code.

Solution

In Log4j 2.12.2 (for Java 7) and 2.16.0 (for Java 8 or later) the message lookups feature has been completely removed. In addition, JNDI is disabled by default and other default configuration settings are modified to mitigate CVE-2021-44228 and CVE-2021-45046.

For Log4j 1, remove the JMSAppender class or do not configure it. Log4j 1 is not supported and likely contains unfixed bugs and vulnerabilities (such as CVE-2019-17571).

For applications, services, and systems that use Log4j, consult the appropriate vendor or provider. See the CISA Log4j Software List and the Vendor Information section below.

Workarounds

Remove the JndiLookup class from the classpath, for example:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

As analysis has progressed, certain mitigations have been found to be less effective or incomplete. See "Older (discredited) mitigation measures" on the Apache Log4j Security Vulnerabilities page.

SLF4J also recommends write-protecting Log4j configuration files.

Acknowledgements

Apache credits Chen Zhaojun of Alibaba Cloud Security Team for reporting CVE-2021-44228 and CVE-2021-4104 and Kai Mindermann of iC Consult for CVE-2021-45046.

Much of the content of this vulnerability note is derived from Apache Log4j Security Vulnerabilities and http://slf4j.org/log4shell.html.

This document was written by Art Manion.

Original Source

Url : https://kb.cert.org/vuls/id/930724

CWE : Common Weakness Enumeration

% Id Name
43 % CWE-502 Deserialization of Untrusted Data
29 % CWE-20 Improper Input Validation
14 % CWE-674 Uncontrolled Recursion
14 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 90
Application 1
Application 1
Application 1
Application 2
Application 2
Application 1
Application 7
Application 1
Application 1
Application 1
Application 5
Application 1
Application 1
Application 8
Application 12
Application 1
Application 1
Application 1
Application 2
Application 5
Application 2
Application 2
Application 2
Application 2
Application 1
Application 1
Application 1
Application 2
Application 11
Application 3
Application 2
Application 1
Application 18
Application 8
Application 18
Application 58
Application 8
Application 1
Application 148
Application 21
Application 3
Application 1
Application 1
Application 4
Application 8
Application 1
Application 3
Application 1
Application 1
Application 2
Application 3
Application 9
Application 14
Application 1
Application 7
Application 1
Application 11
Application 28
Application 278
Application 2
Application 8
Application 1
Application 79
Application 23
Application 1
Application 25
Application 10
Application 4
Application 1
Application 116
Application 4
Application 2
Application 4
Application 1
Application 1
Application 9
Application 126
Application 1
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 3
Application 1
Application 1
Application 1
Application 1
Application 4
Application 1
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 3
Application 1
Application 1
Application 4
Application 2
Application 1
Application 2
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 1
Application 1
Application 2
Application 2
Application 9
Application 1
Application 1
Application 7
Application 1
Application 2
Application 1
Application 1
Application 4
Application 3
Application 4
Application 1
Application 2
Application 1
Application 1
Application 6
Application 6
Application 4
Application 1
Application 2
Application 2
Application 1
Application 1
Application 1
Application 2
Application 2
Application 1
Application 24
Application 1
Application 3
Application 3
Application 19
Application 1
Application 1
Application 2
Application 3
Application 8
Application 2
Application 8
Application 1
Application 2
Application 2
Application 1
Application 1
Application 4
Application 6
Application 3
Application 1
Application 1
Application 2
Application 1
Application 3
Application 1
Application 5
Application 2
Application 2
Application 1
Application 24
Application 2
Application 2
Application 18
Application 18
Application 4
Application 2
Application 4
Application 1
Application 1
Application 2
Application 2
Application 6
Application 2
Application 14
Application 32
Application 2
Application 2
Application 3
Application 1
Application 1
Application 3
Application 5
Application 1
Application 18
Application 6
Application 16
Application 5
Application 1
Application 1
Application 1
Application 1
Application 13
Application 3
Application 2
Application 2
Application 5
Application 1
Application 1
Application 1
Application 2
Application 1
Application 1
Application 1
Application 2
Application 2
Application 1
Application 1
Application 1
Application 1
Application 3
Application 1
Application 1
Application 1
Application 3
Application 1
Application 5
Application 2
Application 1
Application 1
Application 4
Application 2
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 1
Application 2
Application 3
Application 2
Application 1
Application 2
Application 1
Application 1
Application 1
Application 4
Application 5
Application 5
Application 1
Application 1
Application 5
Application 1
Application 1
Application 1
Application 1
Application 4
Application 4
Application 2
Hardware 2
Os 1
Os 1
Os 1
Os 8
Os 1
Os 1
Os 4
Os 2
Os 1
Os 3
Os 1
Os 1
Os 1

SAINT Exploits

Description Link
Apache Log4j JNDI message lookup vulnerability More info here

Snort® IPS/IDS

Date Description
2020-04-21 Apache Log4j SocketServer insecure deserialization remote code execution attempt
RuleID : 53475 - Revision : 1 - Type : SERVER-OTHER

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Date Informations
2022-02-07 17:17:44
  • Multiple Updates
2022-01-26 21:17:43
  • Multiple Updates
2022-01-24 17:17:46
  • Multiple Updates
2022-01-21 17:17:45
  • Multiple Updates
2022-01-19 21:17:47
  • Multiple Updates
2022-01-18 17:17:40
  • Multiple Updates
2022-01-14 17:17:43
  • Multiple Updates
2022-01-13 17:17:57
  • Multiple Updates
2022-01-12 17:17:54
  • Multiple Updates
2022-01-11 17:17:45
  • Multiple Updates
2022-01-10 17:17:47
  • Multiple Updates
2022-01-07 17:17:43
  • Multiple Updates
2022-01-04 17:17:41
  • Multiple Updates
2021-12-24 05:17:43
  • Multiple Updates
2021-12-22 17:17:43
  • Multiple Updates
2021-12-22 00:17:45
  • Multiple Updates
2021-12-21 17:17:45
  • Multiple Updates
2021-12-20 21:29:01
  • Multiple Updates
2021-12-20 21:17:42
  • Multiple Updates
2021-12-20 17:29:06
  • Multiple Updates
2021-12-20 17:17:42
  • Multiple Updates
2021-12-18 05:17:43
  • Multiple Updates
2021-12-17 17:17:41
  • Multiple Updates
2021-12-16 21:17:42
  • Multiple Updates
2021-12-15 05:17:41
  • First insertion