Log4j Vulnerability Summary and Mitigation

Summary
What is Log4j?
Log4J is a widely used Java library for logging error messages in applications. It is used in enterprise
software applications, including those custom applications developed in-house by businesses, and forms
part of many cloud computing services.

Where is Log4j used?

The Log4j 2 library is used in enterprise Java software and according to the UK's NCSC is included in
Apache frameworks such as Apache Struts2, Apache Solr, Apache Druid, Apache Flink, and Apache Swift.

Which applications are affected by the Log4j flaw?

Because Log4j is so widely used, the vulnerability may impact a very wide range of software and services
from many major vendors. According to NCSC an application is vulnerable "if it consumes untrusted user
input and passes this to a vulnerable version of the Log4j logging library."

Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—
as well as in operational technology products—to log security and performance information. An
unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

On December 9th, 2021, the world was made aware of a new vulnerability identified as CVE-2021-
44228, affecting the Java logging package log4j

This vulnerability earned a severity score of 10.0 (the most critical designation) and offers remote code
trivial remote code execution on hosts engaging with software that utilizes this log4j version.

→ This attack has been dubbed/official name "Log4Shell"

→ Security researchers are notably calling this a “shellshock” vulnerability

Apache Log4j Vulnerability Guidance

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active,
widespread exploitation of a critical remote code execution (RCE) vulnerability ( CVE-2021-44228) in
Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell."

An adversary can exploit this CVE-2021-44228 by submitting a specially crafted request to a vulnerable
system that causes that system to execute arbitrary code. The request allows the adversary to take full
control over the system. The adversary can then steal information, launch ransomware, or conduct
other malicious activity. 
On December 10, 2021, Apache released Log4j version 2.15.0 in a security update to address the CVE-
2021-44228 vulnerability.

On December 13, 2021, Apache released Log4j version 2.16.0 in a security update to address the CVE-
2021-45046 vulnerability. A remote attacker can exploit this second Log4j vulnerability to cause a denial-
of-service (DOS) condition in certain non-default configurations.

Note: affected organizations that have already upgraded to Log4j 2.15.0 will need to upgrade to Log4j
2.16.0 to be protected against both CVE-2021-44228 and CVE-2021-45046.

In order for these vulnerabilities to be remediated in products and services that use affected versions of
Log4j, the maintainers of those products and services must implement these security updates. Users of
such products and services should refer to the vendors of these products/services for security updates.
Given the severity of the vulnerabilities and the likelihood of an increase in exploitation by sophisticated
cyber threat actors, CISA urges vendors and users to take the following actions. 

 Vendors

(Updated December 15, 2021) Immediately identify, mitigate, and update affected products using Log4j
to version 2.16.0. Note: as stated above, affected organizations will need to upgrade to Log4j 2.16.0 to
be protected against both CVE-2021-44228 and CVE-2021-45046. Inform your end users of products that
contain these vulnerabilities and strongly urge them to prioritize software updates.

 Affected Organizations

In addition to the immediate actions detailed in the box above, review CISA's GitHub repository for a list
of affected vendor information and apply software updates as soon as they are available. See Actions for
Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-
2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding
Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities . In
accordance with BOD 22-01, federal civilian executive branch agencies must mitigate CVE-2021-44228
by December 24, 2021. 

Technical Details
The CVE-2021-44228 RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9
to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve
variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI
features—such as message lookup substitution—that "do not protect against adversary-controlled
LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."
  (Updated December 15, 2021) Note: the Apache Log4j version 2.16.0 security update that
address the CVE-2021-45046 vulnerability disables JDNI.

Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

 Determine whether your organization's products with Log4j are vulnerable by following the
chart below, using both verification methods:

https://github.com/cisagov/log4j-affected-db

https://github.com/CERTCC/CVE-2021-44228_scanner

 Review Apache’s Log4j Security Vulnerabilities page for additional information and, if
appropriate, apply the provided workaround:
o In releases >=2.10, this behavior can be mitigated by setting either the system
property log4j2.formatMsgNoLookups or the environment variable
LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
o For releases from 2.7 through 2.14.1 all PatternLayout patterns can be
modified to specify the message converter as %m{nolookups} instead of just
%m.
o For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the
JndiLookup class from the classpath: zip -q -d log4j-core-*.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class.
 Apply available patches immediately.
o Prioritize patching, starting with mission critical systems, internet-facing
systems, and networked servers. Then prioritize patching other affected
information technology and operational technology assets. 
o Until patches are applied, set log4j2.formatMsgNoLookups to true by
adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual
Machine command for starting your application. Note: this may impact the
behavior of a system’s logging if it relies on Lookups for message formatting.
Additionally, this mitigation will only work for versions 2.10 and above. 
o As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-
2021-44228 by December 24, 2021, as part of the Known Exploited
Vulnerabilities Catalog.
 Conduct a security review to determine if there is a security concern or compromise.
The log files for any services using affected Log4j versions will contain user-controlled
strings. 
Reference
[01] https://www.zdnet.com/article/log4j-zero-day-flaw-what-you-need-to-know-and-how-to-protect-
yourself/

[02] https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

[03] https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.15.0

[04] https://logging.apache.org/log4j/2.x/security.html#Fixed_in_Log4j_2.16.0

[05] https://github.com/apache/logging-log4j2/releases/tag/rel%2F2.16.0

[06] https://github.com/cisagov/log4j-affected-db#software-list

[07] https://log4shell.huntress.com/

[08] https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java