Critical vulnerability in log4j library

by | Dec 10, 2021 | Advisories, News

A critical zero-day vulnerability in log4j has been discovered (known by the number CVE-2021-44228) with CVSSv3 score 10 out of 10. JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. The vulnerability enables remote code execution and is already being exploited in the wild.

Log4j is a widely used Java library for logging error messages in applications, developed by the open-source Apache Software Foundation and is a key Java-logging framework used by multiple services. Systems and services that use Apache Log4j versions 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 are all affected. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

EGI CSIRT would like to point out that Log4j version 2 is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.

Mitigation

Java 8 (or later) users should upgrade to release 2.16.0, where the vulnerable feature has been completely removed (in log4j 2.15 this feature is disabled by default). Java users requiring Java 7 should upgrade to release 2.12.2.

In order to mitigate this bug, users should switch log4j2.formatMsgNoLookups to true by adding:

"‐Dlog4j2.formatMsgNoLookups=True"

to the JVM command for starting the application.

Or they can remove the JndiLookup class from the classpath:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

There are multiple tools available that can help you verify if your service is vulnerable.

More information can be found on the following links:

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
[2] https://github.com/cisagov/log4j-affected-db
[3] https://logging.apache.org/log4j/2.x/security.html
[4] https://www.openwall.com/lists/oss-security/2021/12/10/1
[5] https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
[6] https://github.com/NCSC-NL/log4shell/tree/main/software
[7] https://github.com/YfryTchsGD/Log4jAttackSurface

Report to EGI CSIRT

In case you have noticed any unusual activity or you suspect that a service has been compromised, report the incident immediately to EGI CSIRT (abuse@egi.eu)

Information about the vulnerability

SVG will post updates about the vulnerability on the following wiki page: https://confluence.egi.eu/display/EGIBG/Log4j+CRITICAL+Vulnerability+-+CVE-2021-44228