-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0244.6
                     RCE 0-day exploit found in log4j
                              4 January 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          log4j
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Denial of Service               -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-45105 CVE-2021-45046 CVE-2021-44832
                  CVE-2021-44228  

Revision History: January   4 2022: Added additional patch information and CVE to advisory
                  December 20 2021: Added additional patch information and CVE to advisory
                  December 16 2021: Added additional patch information and CVE to advisory
                  December 13 2021: CVE added to advisory and reference URL corrected
                  December 10 2021: Updated Overview and Mitigation details
                  December 10 2021: Initial Release

OVERVIEW

        log4j, has been reported to be vulnerable to remote code execution.
                
        Affected version:
        
        2.0 <= Apache log4j2 <= 2.14.1 [1]
        
        UPDATE:
                
        JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1
        are not affected by the LDAP attack vector[1]
        
        Internet wide scanning for Apache Log4j has been reported.[7]
        
        UPDATE: all versions of log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0
        are listed as being vulnerable to a new CVE - CVE-2021-45046. [5]
        
        UPDATE: Apache log4j2 versions 2.0-alpha1 through 2.16.0 were found vulnerable to a new CVE - CVE-2021-45105. [5]
        
        UPDATE: Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) were found vulnerable a new CVE - CVE-2021-44832 [5]


IMPACT

        Lunasec has gathered information about a PoC code that may result in log4j,
        a popular java logging package, to execute code.[1]
        
        Currently no CVE or CVSS are issued about this vulnerability and
        the impact/vector provided is a guidance.
                
        Media reports of the vulnerability is circulating.[2][3]
        
        A patch is made available[4] in advance of the official log4j website.[5]
        
        UPDATE:
        
        CVE-2021-44228 has been assigned to this vulnerability [5]
        
        UPDATE:
        
        CVE-2021-45046 was also assigned to this vulnerability. It has been classified as DOS. [5] 
        
        There are reports that CVE-2021-45046 can also be exploited to exfiltrate data if log4j is left at patch level 2.15.0. [9]
        
        UPDATE:
        
        CVE-2021-45105 has been identified which enables the attacker to perform Denial of Service vulnerability on the affected system. [5]
        
        UPDATE: 
        
        CVE-2021-44832 has been identified which enables the attacker with permission to modify the logging configuration resulting in Remote Code Execution. [5]
         


MITIGATION

        The following is suggest as a mitigation step by Lunasec.
        
        "Start your server with log4j2.formatMsgNoLookups set to true,
        or update to log4j-2.15.0-rc1 or later.
                
        (Kudos to @80vul for tweeting)"[1]
               
        Also a patch is available[4] in the absence of the log4j website[5].
        
        UPDATE: log4j-2.15.0-rc2 is available [6]
        
        UPDATE: log4j-2.16.0 is available and is the recommended patch level to address both CVEs. [5] [8]
        
                log4j 2.12.2 (Java 7) and log4j 2.16.0 (Java 8) was released to address CVE-2021-45046. [5]
        
                log4j 2.17.0 (Java 8) was released to address CVE-2021-45105. [5]
        
        	log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) was released to address CVE-2021-44832. [5]


REFERENCES

        [1] RCE 0-day exploit found in log4j, a popular Java logging package
            https://www.lunasec.io/docs/blog/log4j-zero-day/

        [2] Worst Apache Log4j RCE Zero day Dropped on Internet
            https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html

        [3] Minecraft and other apps face serious threat from Log4j code
            execution bug
            https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

        [4] log4j-2.15.0-rc1
            https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1

        [5] Apache Log4j Security Vulnerabilities
            https://logging.apache.org/log4j/2.x/security.html

        [6] log4j-2.15.0-rc2
            https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2

        [7] GreyNoise.io 2 unique IP's scanning the internet for the new Apache
            Log4j RCE
            https://twitter.com/_mattata/status/1469144854672379905

        [8] log4j-2.16.0
            https://github.com/apache/logging-log4j2/releases/tag/rel/2.16.0

        [9] Log4j 2.15.0 stills allows for exfiltration of sensitive data
            https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYdPe4ONLKJtyKPYoAQgC/g/+I5XjH7baF882incffzMG4djCWPexEd8w
STCbZZe55t7E6A9tqd/KGtgdq8yaOnGJtl9kGQHCOcomBiqxa6Tvt3e7EC0flH+K
LNmXvPT6AJb2pIy2q8Jb7AuvWwo4vrvX8fsO2rVzdSsGHn6heMmom+4tVEnID3zX
q6smGs5shG2kUUVf0x1LNnxy+VpY08oIXsoFk5PdfqbMl9XDyn1yha8gV7b0aVcz
dmAqlar0msgqwEI7QNxDyqHgv9hwvi9kwjUhqB8SKmVSc61xVSGet+7DlnfD1DY5
FFi4ihb4Zq2h5tKMW6SxrKotTvBV3Vl472clxh41+7kHSitFHVgJErauRtzjZ8o3
zJtpDliRkXKH6c1aL8LxxFgbRQbxmOh2EjZzqLVuBOrnzDX/DC26rITHqowFVpfJ
P1lQZzBaqranjfhql+m5OCfeEPQgElrSuyogdhgNK1kEBRoVcfDCssr7IhQd22wY
0wJ3xTbUElvCjR5GiHt09mtKeRP9fkqBMHMfpDHQtZPHZRZx0BQ3u1Obv9IgjTaY
lLnUXwsoWWI0WeBS87tCaQGI6gzSRP7HylFZmDm9nu8g4QEuINdmw8csq6m+3u/u
3+Hv8zLHSkROTJex3JpH6ebOTb/OjCLpmzdG2TUzeuEkW1VcAvqpJM0bs7lmR5Fs
mFhzeQL4U80=
=ScDi
-----END PGP SIGNATURE-----