Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0244.6 RCE 0-day exploit found in log4j 4 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: log4j Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 CVE-2021-44228 Revision History: January 4 2022: Added additional patch information and CVE to advisory December 20 2021: Added additional patch information and CVE to advisory December 16 2021: Added additional patch information and CVE to advisory December 13 2021: CVE added to advisory and reference URL corrected December 10 2021: Updated Overview and Mitigation details December 10 2021: Initial Release OVERVIEW log4j, has been reported to be vulnerable to remote code execution. Affected version: 2.0 <= Apache log4j2 <= 2.14.1 [1] UPDATE: JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector[1] Internet wide scanning for Apache Log4j has been reported.[7] UPDATE: all versions of log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 are listed as being vulnerable to a new CVE - CVE-2021-45046. [5] UPDATE: Apache log4j2 versions 2.0-alpha1 through 2.16.0 were found vulnerable to a new CVE - CVE-2021-45105. [5] UPDATE: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) were found vulnerable a new CVE - CVE-2021-44832 [5] IMPACT Lunasec has gathered information about a PoC code that may result in log4j, a popular java logging package, to execute code.[1] Currently no CVE or CVSS are issued about this vulnerability and the impact/vector provided is a guidance. Media reports of the vulnerability is circulating.[2][3] A patch is made available[4] in advance of the official log4j website.[5] UPDATE: CVE-2021-44228 has been assigned to this vulnerability [5] UPDATE: CVE-2021-45046 was also assigned to this vulnerability. It has been classified as DOS. [5] There are reports that CVE-2021-45046 can also be exploited to exfiltrate data if log4j is left at patch level 2.15.0. [9] UPDATE: CVE-2021-45105 has been identified which enables the attacker to perform Denial of Service vulnerability on the affected system. [5] UPDATE: CVE-2021-44832 has been identified which enables the attacker with permission to modify the logging configuration resulting in Remote Code Execution. [5] MITIGATION The following is suggest as a mitigation step by Lunasec. "Start your server with log4j2.formatMsgNoLookups set to true, or update to log4j-2.15.0-rc1 or later. (Kudos to @80vul for tweeting)"[1] Also a patch is available[4] in the absence of the log4j website[5]. UPDATE: log4j-2.15.0-rc2 is available [6] UPDATE: log4j-2.16.0 is available and is the recommended patch level to address both CVEs. [5] [8] log4j 2.12.2 (Java 7) and log4j 2.16.0 (Java 8) was released to address CVE-2021-45046. [5] log4j 2.17.0 (Java 8) was released to address CVE-2021-45105. [5] log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) was released to address CVE-2021-44832. [5] REFERENCES [1] RCE 0-day exploit found in log4j, a popular Java logging package https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] Worst Apache Log4j RCE Zero day Dropped on Internet https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html [3] Minecraft and other apps face serious threat from Log4j code execution bug https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/ [4] log4j-2.15.0-rc1 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1 [5] Apache Log4j Security Vulnerabilities https://logging.apache.org/log4j/2.x/security.html [6] log4j-2.15.0-rc2 https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2 [7] GreyNoise.io 2 unique IP's scanning the internet for the new Apache Log4j RCE https://twitter.com/_mattata/status/1469144854672379905 [8] log4j-2.16.0 https://github.com/apache/logging-log4j2/releases/tag/rel/2.16.0 [9] Log4j 2.15.0 stills allows for exfiltration of sensitive data https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYdPe4ONLKJtyKPYoAQgC/g/+I5XjH7baF882incffzMG4djCWPexEd8w STCbZZe55t7E6A9tqd/KGtgdq8yaOnGJtl9kGQHCOcomBiqxa6Tvt3e7EC0flH+K LNmXvPT6AJb2pIy2q8Jb7AuvWwo4vrvX8fsO2rVzdSsGHn6heMmom+4tVEnID3zX q6smGs5shG2kUUVf0x1LNnxy+VpY08oIXsoFk5PdfqbMl9XDyn1yha8gV7b0aVcz dmAqlar0msgqwEI7QNxDyqHgv9hwvi9kwjUhqB8SKmVSc61xVSGet+7DlnfD1DY5 FFi4ihb4Zq2h5tKMW6SxrKotTvBV3Vl472clxh41+7kHSitFHVgJErauRtzjZ8o3 zJtpDliRkXKH6c1aL8LxxFgbRQbxmOh2EjZzqLVuBOrnzDX/DC26rITHqowFVpfJ P1lQZzBaqranjfhql+m5OCfeEPQgElrSuyogdhgNK1kEBRoVcfDCssr7IhQd22wY 0wJ3xTbUElvCjR5GiHt09mtKeRP9fkqBMHMfpDHQtZPHZRZx0BQ3u1Obv9IgjTaY lLnUXwsoWWI0WeBS87tCaQGI6gzSRP7HylFZmDm9nu8g4QEuINdmw8csq6m+3u/u 3+Hv8zLHSkROTJex3JpH6ebOTb/OjCLpmzdG2TUzeuEkW1VcAvqpJM0bs7lmR5Fs mFhzeQL4U80= =ScDi -----END PGP SIGNATURE-----