Executive Summary
Summary | |
---|---|
Title | Apache Log4j allows insecure JNDI lookups |
Informations | |||
---|---|---|---|
Name | VU#930724 | First vendor Publication | 2021-12-15 |
Vendor | VU-CERT | Last vendor Modification | 2022-02-07 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 10 | ||
Base Score | 10 | Environmental Score | 10 |
impact SubScore | 6 | Temporal Score | 10 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Changed | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewApache Log4j allows insecure JNDI lookups that could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the vulnerable Java application using Log4j. CISA has published Apache Log4j Vulnerability Guidance and provides a Software List. DescriptionThe default configuration of Apache Log4j supports JNDI (Java Naming and Directory Interface) lookups that can be exploited to exfiltrate data or execute arbitrary code via remote services such as LDAP, RMI, and DNS. This vulnerability note includes information about the following related vulnerabilities.
We provide tools to scan for vulnerable jar files. More information is available from the Apache Log4j Security Vulnerabilities page, including these highlights. Certain conditions must be met to make Log4j 1.x vulnerable:
Log4j API code alone is not affected:
ImpactA remote, unauthenticated attacker with the ability to log specially crafted messages can cause Log4j to connect to a service controlled by the attacker to download and execute arbitrary code. SolutionIn Log4j 2.12.2 (for Java 7) and 2.16.0 (for Java 8 or later) the message lookups feature has been completely removed. In addition, JNDI is disabled by default and other default configuration settings are modified to mitigate CVE-2021-44228 and CVE-2021-45046. For Log4j 1, remove the JMSAppender class or do not configure it. Log4j 1 is not supported and likely contains unfixed bugs and vulnerabilities (such as CVE-2019-17571). For applications, services, and systems that use Log4j, consult the appropriate vendor or provider. See the CISA Log4j Software List and the Vendor Information section below. WorkaroundsRemove the JndiLookup class from the classpath, for example:
As analysis has progressed, certain mitigations have been found to be less effective or incomplete. See "Older (discredited) mitigation measures" on the Apache Log4j Security Vulnerabilities page. SLF4J also recommends write-protecting Log4j configuration files. AcknowledgementsApache credits Chen Zhaojun of Alibaba Cloud Security Team for reporting CVE-2021-44228 and CVE-2021-4104 and Kai Mindermann of iC Consult for CVE-2021-45046. Much of the content of this vulnerability note is derived from Apache Log4j Security Vulnerabilities and http://slf4j.org/log4shell.html. This document was written by Art Manion. |
Original Source
Url : https://kb.cert.org/vuls/id/930724 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
43 % | CWE-502 | Deserialization of Untrusted Data |
29 % | CWE-20 | Improper Input Validation |
14 % | CWE-674 | Uncontrolled Recursion |
14 % | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Apache Log4j JNDI message lookup vulnerability | More info here |
Snort® IPS/IDS
Date | Description |
---|---|
2020-04-21 | Apache Log4j SocketServer insecure deserialization remote code execution attempt RuleID : 53475 - Revision : 1 - Type : SERVER-OTHER |
Alert History
Date | Informations |
---|---|
2022-02-07 17:17:44 |
|
2022-01-26 21:17:43 |
|
2022-01-24 17:17:46 |
|
2022-01-21 17:17:45 |
|
2022-01-19 21:17:47 |
|
2022-01-18 17:17:40 |
|
2022-01-14 17:17:43 |
|
2022-01-13 17:17:57 |
|
2022-01-12 17:17:54 |
|
2022-01-11 17:17:45 |
|
2022-01-10 17:17:47 |
|
2022-01-07 17:17:43 |
|
2022-01-04 17:17:41 |
|
2021-12-24 05:17:43 |
|
2021-12-22 17:17:43 |
|
2021-12-22 00:17:45 |
|
2021-12-21 17:17:45 |
|
2021-12-20 21:29:01 |
|
2021-12-20 21:17:42 |
|
2021-12-20 17:29:06 |
|
2021-12-20 17:17:42 |
|
2021-12-18 05:17:43 |
|
2021-12-17 17:17:41 |
|
2021-12-16 21:17:42 |
|
2021-12-15 05:17:41 |
|