The Log4j Mess We Are In

On December 9th, 2021, there was a flaw discovered by security researchers in the code for a software library used for logging called Log4j. There have been three additional bugs found since then.

Full Remote Code Execution can be attained with this vulnerability, plus more found.

Update Log4j to the latest version 2.17.0 (as of 12/19/2021)

#1 Issue

There are over 100 million instances of Log4j worldwide. Anyone who hasn’t updated is vulnerable to the flaws we currently know about.

• CVE-2021-44228 (CVSS score: 10.0) – A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) – An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) – A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) – An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.0)

#2 Symptoms

Remote Code Execution (RCE) – This is a cyber-attack whereby an attacker can remotely execute commands on someone else’s computing device.

Denial-of-Service (DoS) – Occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. The threat actor will flood the target host or network so that the host or network cannot respond or crash.

Untrusted Deserialization – Serialization is the process of converting data into a format that can be saved to a file, database, sent through streams, or sent over a network. Deserialization is the reverse of the serialization process. And untrusted deserialization is when there is a vulnerability in the deserialization process, that could allow someone to inject code to be executed during deserialization.

#3 Solution

Find out if your software is vulnerable

There are multiple lists that you can look up if the particular software you are using is affected by this vulnerability. These are not exhaustive lists, so you should also check with your vendor directly.

• CISA Vendor DB
• BleepingComputer
• GitHub – Dutch NCSC List of affected Software
• GitHub – SwitHak

Patch your software

If there is an update available for your specific software, update it now. If there is not an update, your vendor may provide a workaround so that you are not vulnerable to these exploits.

Already compromised?

All affected organizations are encouraged to report compromises to CISA and the FBI.

Conclusion

This is not the last we will hear about Log4j. I expect that in the next coming weeks we will hear about more issues found. All we can do is stay tuned and keep your software updated.

Resources: Center for Internet Security & Apache Software Foundation