On Friday the 10th of December 2021, a zero-day was identified in the Apache Log4j 2 library, a common logging utility featured in applications and services built using Java technology.
An attacker can potentially leverage the vulnerability to induce remote code execution on systems hosting applications that utilise the vulnerable version of the library, without the requirement to authenticate.
The vulnerability can also be abused to leak sensitive information from environment variables, such as secrets and passwords and therefore additional systems and services may be vulnerable to compromise beyond those that implement the vulnerable library.
Applications which log data from untrusted sources, such as HTTP Headers, or content received within POST or GET requests, expose systems to compromise.
The vulnerability is trivial to exploit and active exploitation has been observed in the wild.
We recommend that organisations monitor this issue over the next few weeks if they make use of software and systems that are built using Java technology, as vendors may identify vulnerabilities within their products and produce patches in due course.
A list of affected products has been published on Github and will be maintained by CISA. This provides a comprehensive list of third party products which are known to be vulnerable or declared unaffected by the vendor. We recommend reviewing to identify whether these are hosted:
For organisations that make use of bespoke applications built using Java, especially those that are public-facing, it is recommended to check whether the vulnerable components are in use.
The earliest non-vulnerable version of Log4j 2 is log4j-2.15.0-rc2. If an earlier version of Log4j 2 is utilised by an application, we recommend upgrading as soon as possible.
A new version of Log4j 2 has been released in the form of 2.16.0. This version is recommended rather than 2.15.0-rc2, as 2.15.0-rc2 has been identified to be exploitable in certain non-default configurations (this has been identified as a separate vulnerability in CVE-2021-45046). The 2.16.0 patch disables access to JNDI by default.
A denial of service vulnerability (CVE-2021-45105) was identified in Log4J 2 in versions from 2.0-beta9 on 16 December 2021. If an attacker is able to supply a payload which causes infinite recursion which is then processed by Log4J 2, the application will crash.
Apache has released version 2.17.0, which addresses this issue.
It may be possible to mitigate the vulnerability but it is dependent on various factors, including whether a more recent version of Log4j 2 in use, as well as the version of Java Development Kit used.
Setting the log4j2.formatMsgNoLookups parameter to true is no longer considered to be a sufficient mitigation as discussed in CVE-2021-45046:
If it is not possible to patch, please follow the article provided by NCC Group below:
We recommend consulting the following resources for mitigation and detection guidance: