About CVE-2021-44228 aka ‘Log4Shell’ (Updated)
Updated on: December 17, 2021
Read time: 3 min
This weekend a new 0-day has been published and the web was set to fire. The vulnerability has been assigned CVE-2021-44228 and flagged with Critical severity, it affects Java code importing the very popular log4j logging library. As we can read on Log4j security page: An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
It is being actively exploited, so I encourage you to update to a patched version and deploy remediations ASAP.
How it works
Log4shell works by sending a maliciously crafted string as value of a request header to web services depending on log4j, allowing remote code execution to the attacker in an environment where he controls LDAP servers and other JNDI related endpoints. Such environment could be the Internet itself. That kind of criticity recalls Shellshock from 2014 and because of this has been named Log4Shell.
Who is affected and mitigations
Vulnerable versions are those from
2.14.1. The patched one is the recently released
2.15.0, which disables the lookup behaviour by default.
For versions after
2.10.0 you can mitigate the vulnerability by disabling JndiLookup. You can do it by setting the env var
LOG4J_FORMAT_MSG_NO_LOOKUPS=true or by running the jar with the property
java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar.
JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not impacted by the LDAP attack vector because in these versions
com.sun.jndi.ldap.object.trustURLCodebase is set to
false (source), yet DNS is being used as JNDI endpoint so upgrading is still strongly recommended.
Spring-boot, per their statement, is affected only if you use log4j2 as the default logging system. More specifically, only applications using log4j-core and including user input in log messages are vulnerable, meaning that if you use
spring-boot-starter-logging (which depends on
log4j-api) your application is safe. Check your pom to know if you use it and have to upgrade.
Cloudflare has written about how they have already deployed a mitigation throught their WAF to both free and paid users. Also, Microsoft has published a guide about their solutions via Microsoft 365 Defender and Defender for Cloud products.
Remaining in the cloud world, HAProxy developers have recently announced that their products are not impacted because they do not use log4j2.
Update 2: More companies have deployed their remediations. I’ve gathered their announcements below and I’ll keep adding as soon as I know more.
Be sure you update because the vuln is already being exploited to mine Monero via RMI (Remote Method Invocation).
If you're looking to identify jars vulnerable to the log4j bug, we wrote this tool to help: https://t.co/VcqluEttY6— The Paranoids (@TheParanoids) December 16, 2021
An alternative mitigation
If you can’t update the library shortly, e.g. for some older projects, an alternative is to deploy an nginx instance with some Lua scripts and expose the services throught the (reverse) proxy so that malicious headers do not pass to the Java backend behind (link).
Of course similar solutions can be deployed with other products.
You may find yourself using log4j
1.2.x, for example on a couple of old projects. If you are still including it, you should upgrade ASAP since it reached end of life in 2015 and hasn’t included security fixes for a while. It is vulnerable to other remote code execution attacks, like CVE-2019-17571, which has been discovered in 2019 and is somewhat similar to the one discovered this weeekend (link).
Log4j developers strongly recommend to upgrade to version
2.x (as written here), and considering the latest news I advise you to update at least to version
2.16.0. A guide to do so is available on the dedicated Apache website.
Hope it helps. Thanks for reading.
- Dec 15, 2021: About CVE-2021-45046
- Dec 17, 2021: Added announcements from more companies, Monero mining via RMI and Yahoo! tool.
Got some words you want to share? Tell me!