CyRC Vulnerability Analysis: Zero-Day Remote Code Execution Exploit in Java Logging Library (log4j)

0

The NVD currently does not have a CVSS score for this vulnerability, but the Synopsys Cybersecurity Research Center (CyRC) has published a corresponding Black Duck® Security Advisory (BDSA) and assigned a CVSS score of 9.1, with links to proof of concept exploits. .

A dangerous zero day exploit has been identified in log4j, a popular Java logging library.

Apache log4j / log4j2 is widely used within the Java community to implement application logging. Since log4j is a de facto standard within the Java community, it is likely that most Java applications will use it as a log interface.

The NVD has assigned CVE-2021-44228 to this vulnerability, which affects Apache log4j2 versions from 2.0-beta9 to 2.14.1. In these versions, the Java Directory and Naming Interface (JNDI) features are not protected against LDAP or JNDI endpoints controlled by an attacker. If message substitution is enabled, an attack can trigger remote code execution (RCE) for arbitrary code loaded from LDAP servers controlled by the attacker.

The NVD currently does not have a CVSS score for this vulnerability, but the Synopsys Cybersecurity Research Center (CyRC) has published a corresponding Black Duck® Security Advisory (BDSA) and assigned a CVSS score of 9.1, with links to proof of concept exploits. . This information allows users to quickly identify where they are exposed to this vulnerability without having to rescan their applications. This will simplify triage, validation and remediation efforts.

Extracts from the BDSA file

Black Duck Safety Advisory Package

Apache log4j, as used in many popular services, may inappropriately allow Lightweight Directory Access Protocol (LDAP) access through the Java naming and directory interface features. (JNDI). A remote attacker who provides the final application with specially crafted input which is then processed by the log4j subcomponent could cause the execution of arbitrary Java code.

How to fix it

Fixed in 2.15.0-rc2 by this commit and this commit.

The latest versions can be found here.

Workaround

A third party offered a workaround here. They suggest the following:

  • Version 2.10.0 and above have the log4j2.formatMsgNoLookups property which can be set to true to disable the affected functionality.
  • In the versions below 2.10.0, each logging template layout should be changed to indicate% m {nolookups} instead of% m in the logging configuration files.

Additionally, as suggested here, Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 protect against specific exploitation techniques; however, code execution and other results cannot be excluded by other techniques available on these specific versions and environments.

It should also be possible to mitigate the problem by removing the JndiLookup class from the classpath.

How Synopsys helps

With Black Duck’s Software Composition Analysis (SCA), all open source software used in your applications is continuously identified, cataloged and monitored for newly disclosed vulnerabilities. If a vulnerability is discovered, our team of security researchers will endeavor to compile, confirm, and augment any related information before issuing a security advisory to all affected customers. These advisories contain the details necessary to understand, prioritize, and remediate vulnerabilities in the context of your applications, and are issued within hours of a vulnerability disclosure.

Share.

About Author

Comments are closed.