Written on: Dec 15, 2021 2:00:10 PM
Written by: Alex Raben
[COOLSPIRiT, Cyber Security]
Share this post:
The following advice was extracted from the NCSC live blog on the 15/12/21.
The NCSC is advising organisations to take steps to mitigate the Apache Log4j vulnerability.
An unauthenticated remote code execution vulnerability (CVE-2021-44228) affects Apache Log4j versions 2.0-beta9 to 2.14.1. The NCSC is aware that scanning and attempted exploitation is being detected globally, including the UK.
Proof-of-concept code has been published for this vulnerability.
The NCSC has published further information explaining the Log4j vulnerability.
Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organisation, as well as numerous cloud services.
The Log4j library is frequently used in enterprise Java software and is included in Apache frameworks including Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Other large projects Including Netty, MyBatis and the Spring Framework also make use of the library.
An application is vulnerable if it consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library.
Version 1 of the Log4j library is no longer supported and is affected by multiple security vulnerabilities. Developers should migrate to the latest version of Log4j (currently Log4j 2.16.0).
More information is available at:
RECOMMENDED PRIORITY ACTIONS:
ONE: Install the latest updates immediately wherever Log4j is known to be used
This should be the first priority for all UK organisations using software that is known to include Log4j. Organisations should update both internet-facing and non-internet facing software.
The Log4j library is frequently used in software and the links below provide a non-exhaustive lists of vulnerable products:
If your specific product is not listed, you can use the instructions provided below in Priority Action 2 to try and determine if Log4j is present. If your product is listed, please follow vendor advice on updating the software or applying mitigations. You should also keep refreshing the list in case a new product has been added. If your product is not listed and is vulnerable, you can request it be added to the list.
Where a vendor has not provided an update to a product, the vulnerability can be mitigated in previous releases of Log4j (2.10 and later) by setting system property "log4j2.formatMsgNoLookups" to "true". The JndiLookup class can also be removed from the classpath. However, this has limitations and should not be relied upon:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Organisations should routinely run vulnerability scanning across their networks, to detect when updates are available.
TWO: Discover unknown instances of Log4j within your organisation
To support the first priority action above, you also should now determine if Log4j is installed elsewhere. Java applications can include all the dependent libraries within their installation.
A file system search for log4j can be undertaken. This should include searching inside EAR, JAR and WAR files. For example:
find / -type f -print0 |xargs -n1 -0 zipgrep -i log4j2 2>/dev/null
If a dependency or package manager is used, this can be searched. For example:
dpkg -l | grep log4j
There could be multiple copies of Log4j present, each copy will need to be updated or mitigated.
THREE: Deploy protective network monitoring/blocking
The following recommendations should be taken to improve network monitoring and blocking:
The NCSC is aware of a denial of service vulnerability (CVE-2021-45046) affecting all versions of Log4j2 from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. The NCSC’s advice has not changed and updating to the latest version of Log4j (currently Log4j 2.16.0) addresses this vulnerability.
Advice to developers of affected software
It may not always be easy for organisations to identify which products use Apache Log4j software. If you are a developer of any affected software, the NCSC advises early communication with your customers to enable them to apply mitigations or install updates where they are available.
The following recommendations will help assist in detection of potential malicious activity trying to exploit the log4j vulnerability.
NCSC Tools, services and guidance
The NCSC provides a range of free tools and services that help to secure systems:
If you need further advice or help contact us today: email@example.com