Audit: log4j version used could lead to remote code execution SC-A1003

The log4j library is a popular logging library used across the JVM ecosystem. However, if you are using a vulnerable version of Log4j (A version between 2.0 and 2.16.0), RCE (Remote Code Execution) as well as DoS (Denial of Service) attacks are possible through abuse of Log4j's template processing algorithm.

An attacker can perform a malicious JNDI object lookup to chain other exploits, or induce the application to process a malicious template string resulting in a DoS attack if your code logs request data (such as a user agent header).

Update your Log4j version to 2.17.0 to mitigate these vulnerabilities.

The following vulnerabilities have been discovered as of December 19, 2021:

• The original RCE vulnerability, affecting Log4j versions 2.0 and fixed incompletely in 2.15.0.

• A DoS vulnerability, surfaced in version 2.15.0 and affecting all 2.x versions before it. This vulnerability is possible with certain non-default pattern layouts that allow the attacker to initiate JNDI lookups by manipulating thread context data. This attack requires a custom pattern layout that uses an interpolation string like $${ctx:loginId}.

  It has been fixed in version 2.16.0; message lookup and JNDI functionality is disabled by default now.

• Log4j 1.x is partially vulnerable with non-default configurations that use the JMSAppender class. While this is of a lower severity than the other vulnerabilities found so far, version 1.x has been deprecated since 2015 and will not receive official updates (not even security fixes); consider updating to the latest 2.x version.
• Another severe DoS vulnerability, affecting versions 2.0 to 2.16.0. It is possible for a specially crafted self-referential lookup string (PoC example of this is ${${::-${::-$${::-j}}}}) to cause log4j to go into an infinite recursive loop, resulting in a stack overflow. NOTE: This vulnerability also requires a non-default pattern layout similar to the previously mentioned DoS attack.

This is fixed in version 2.17.0.

Update your Log4j version to the latest to avoid these vulnerabilities.

This exploit can make use of multiple RPC protocols, including LDAP, CORBA and RMI, of which LDAP is especially vulnerable due to its lack of security manager enforcement.

For an in-depth explanation of how this attack is made possible, read this article.

There are a few ways to fix this issue.

• Upgrade to Log4j 2.17.0

Log4j's latest version, 2.17.0 fixes this bug.

Upgrade your Log4j dependency to this version if possible.

• Remove the JndiLookup class from your application's classpath

This vulnerability exploits Log4j's ability to interpolate JNDI lookup urls into logged strings. It is safe to do so but will not protect from certain DoS vulnerabilities mentioned above.

JndiLookup.class can be removed by deleting the JndiLookup.class file from your copy of log4j-core.jar:

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

The best method to prevent this issue is to update to the latest version of Log4j.

References

• NVD - CVE-2021-44228
• Lunasec - Log4j Zero Day
• Palo Alto Networks - Another Apache Log4j Vulnerability Is Actively Exploited in the Wild
• Apache Log4j Homepage - Log4j security vulnerabilities
• OWASP Top Ten 2021 - Category A05 - Security Misconfiguration
• OWASP Top Ten 2021 - Category A06 - Vulnerable and Outdated Components