ALERT: Apache Log4j Critical Vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-4104)

Summary

Last Updated: February 3, 2022 at 12:22PM

As the situation is ongoing, this page may be updated with the most up-to-date information about this vulnerability. For questions or more information about this vulnerability, please contact infosec@hawaii.edu.

A critical vulnerability affecting Apache’s Log4j software library known as “Log4Shell” or “Logjam” (CVE-2021-44228) could allow an unauthenticated remote adversary to perform a remote code execution on an affected system. Log4j is used broadly in many consumer and enterprise services, software, and applications for security and performance logging, therefore this vulnerability poses a significant widespread threat. After the fix for Log4j was released in version 2.15, it was found that under certain conditions, remote code execution could still be achieved (CVE-2021-45046). In version 2.16, it was found that Log4j was still affected by a Denial-of-Service vulnerability (CVE-2021-45105). Additionally, it was discovered that version 1.2 of Log4j using JMSAppender is affected by an untrusted deserialization flaw that cannot be fixed (CVE-2021-4104). Due to this, Log4j should be updated to version 2.17.1 as soon as possible on affected systems. For systems that cannot be updated, mitigations should be applied as soon as possible. Additionally, be aware of vendor updates that address the Log4j vulnerability and make the necessary updates to secure affected systems.

Update: Patch Vendor Products Using Log4j Now

Recently, there has been an increase in attacks targeting un-patched products using Log4j. Due to the widespread usage of Log4j in vendor products, it is important to review ALL product advisories to ensure that they are not vulnerable to the Log4j vulnerability. Below is a non-exhaustive list of popular vendors that have products with available patches for the Log4j vulnerability:

  • Adobe
  • Apache
  • Broadcom
  • Cisco
  • Debian
  • Docker
  • FortiGuard
  • IBM
  • MongoDB
  • Oracle
  • Red Hat
  • SonicWall
  • Splunk
  • TrendMicro
  • VMWare
  • Ubiquiti
  • Ubuntu
  • Zoho

Affected Versions and Products

  • Apache Log4j 1.2 using JMSAppender (CVE-2021-4104)
  • Apache Log4j 2.0-beta9 up to 2.14.1 (CVE-2021-44228)
  • Apache Log4j 2.0-beta9 up to 2.15.0 (CVE-2021-45046)
  • Apache Log4j 2.0-beta9 up to 2.16.0 (CVE-2021-45105)
  • Vendor products utilizing Apache Log4j: View affected vendor products

Action and Guidance

  • Review all vendor products for updates regarding the Apache Log4j vulnerability as many products embed Log4j. Apply all update packages as soon as possible.
  • Update to version 2.17.1 of Apache Log4j as soon as possible following appropriate testing.
  • If updates cannot be applied immediately, apply the following mitigations:
    NOTE: The following actions may not be fully effective in mitigating the vulnerabilities, therefore it is encouraged that updates be applied if possible

    • For Log4j versions 2.0-beta9 through 2.16.0, remove the JndiLookup classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
    • For Log4j version 2.16.0, in PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with ThreadMap Context Map patterns such as %X, %mdc, or %MDC.
    • Isolate systems in their own respective DMZ or VLAN, block outbound network connections from affected systems to trusted hosts or ports, and monitor network and system logs for Log4j exploitation.
    • Block outbound LDAP, Remote Method Invocation (RMI), and DNS.

Scanning for Log4j Vulnerability

To assist with the detection of vulnerable instances of Log4j in applications, UH InfoSec offers the ScanUH tool to perform self-scans. The ScanUH vulnerability scanner contains plugins that will perform a test exploit of the vulnerability, however not all instances of the vulnerability will be checked. Additionally, scans will not detect Log4j embedded in custom or vendor applications.

Link: ScanUH Vulnerability Scanner

Information for Users

As a best practice, be sure to follow our Minimum Security Standards (Login Required) to secure University Institutional Data. Remain vigilant when receiving shared documents or emails and be aware of potential phishing attempts. For more information, see Phishing.

Resources