CVE-2021-44228 Zero-day vulnerability description and mitigations

Summary

A Zero Day vulnerability in Apache Log4j Java logging library has been disclosed publicly on December 9, 2021. This vulnerability is present in versions greater or equal to 2.0.0 and prior to version 2.15.0 (version 2.15.0 is not vulnerable). An attacker who can control log messages and log parameters can use a JNDI LDAP endpoint to remotely execute arbitrary code on the server.

note

Versions 1.x of Log4j are vulnerable only if a JMS Appender is present in the configuration.

MITRE description

Apache Log4j2 <= 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10), this behavior can be mitigated by setting the system property log4j2.formatMsgNoLookups to true, or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Source

Who is affected

This vulnerability is exploitable if:

  1. The attacker has access to a public endpoint of your application using any protocol (HTTP, TCP, etc).
  2. Can control log statements on the endpoint.

It does affect the following versions of Log4j:

  1. Versions greater or equal to 2.0.0 but lower than version 2.15.0 (>= 2.0.0 and < 2.15.0).
  2. Versions 1.x are vulnerable only in the presence of a JMS Appender.

Mitigation

There are a few possible mitigations depending on your situation.

Upgrade Log4j version

If you are using a version lower than 2.15.0 of Log4j, you can choose to upgrade your current version. This is the safest solution, especially when you are using a 2.x version because the upgrade is minor in this case. Upgrade of versions 1.x may require more effort but please note that Log4j 1.x had reached its end of life on August 5, 2015.

You cannot upgrade Log4j version

Solution 1

If you are using version >=2.10 and <=2.14.1 of Log4j, the mitigation can be done by setting one of the two following properties to true:

  1. System property log4j2.formatMsgNoLookups
  2. Environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS

Solution 2

If you are using version >=2.0-beta9 and <=2.10.0 of Log4j, you can remove the JndiLookup class from JVM’s classpath. This can be done using the following command:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Solution 3

Some sources state that Java 8u121 protects against remote code execution by setting the JVM properties "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to false. However, the best mitigation is to upgrade the Log4j version.

Leave a Reply

Your email address will not be published. Required fields are marked *