Service Advisory
Please share the following information with your technical teams.
A proof of concept (POC) that exploits a remote code execution (RCE) vulnerability in Java logging package Apache log4j was released yesterday (Dec 9). Log4j is widely used in Java applications and frameworks some common examples include: Confluence, Elastic, Rundeck, SAP (and many others). While log4j is not directly exposed by applications, this is expected to be a trivial Remote Code Execution (RCE) vulnerability which will result in widespread compromise, and potentially ransomware.
There are reports of this being actively exploited in the wild. It is urgent to address any vulnerable systems immediately.
Please review your applications for use of log4j, and if so, the version of that in use.
Vulnerable versions: 2.0 <= Apache log4j <= 2.14.1
Contact infosec to report any vulnerable installation found for mitigation and investigation steps.
Additional details and notices of vulnerable software can be expected to be announced over coming days.
Details on Log3Shell Zero-Day Vulnerability – Apache log4j
Severity level
Critical
CVE-2021-44228
Description:
If an attacker sends a link for a malicious Java Class file to a server running a vulnerable version of log4j, the server will make a request through the Java Naming and Directory Interface (JNDI), resulting in the malicious code being executed. Any attacker-controlled data that is being logged through log4j (such as UserAgent strings) can potentially result in Remote Code Execution (RCE).
Affected Versions:
Apache Log4j 2 versions 2.0 to 2.14.1
Log4j is embedded in many Java applications and frameworks which may need updates.
Impact:
An attacker could exploit this vulnerability to take control of an affected device.
Resolution:
– Expect additional updates to be added to these posts over the coming days.
– Update to log4j-2.15.0-rc1 or later.
– Expect vendors to release updates over the next several days for this vulnerability and apply as they become available.
In addition to the update, apply the following mitigation to disable lookups globally by setting the system property
log4j2.formatMsgNoLookups=true or
export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true
Reference:
[Details] – https://www.lunasec.io/docs/blog/log4j-zero-day/
[Details] – https://www.randori.com/blog/cve-2021-44228/
[Details] – https://logging.apache.org/log4j/log4j-2.14.1/manual/configuration.html#DisablingMessagePatternLookups
[Alternate Workaround] – https://github.com/Glavo/log4j-patch.
We thank you for your cooperation and understanding.
Contact
UIT Client Services at askit@yorku.ca or 416 736 5800
|