Critical – Vulnerability for Log4j, CVE-2021-44228, Log4Shell, Update #1
Date of Notice: 12/14/2021
Action Level - Critical
Description
As part of our Edgeguard service, MCNC would like to update you on the threat affecting the Java logging utility Log4j. This is being tracked as CVE-2021-44228. Apache documentation here.
Affected Devices
While no exhaustive list has been collected, the following page contains known tested software and its vulnerability status. Even if a given device isn’t on this page, assume it is vulnerable until proven otherwise.
Attack Vector
Any attacker with network access that can pass text to the given device can exploit this vulnerability. This could be an external bad actor interacting with public facing devices or an internal bad actor interacting with any device they have network access to.
Attack Feasibility
This vulnerability is actively being exploited.
Mitigations
Various A/V and WAF vendors are beginning to roll out detections of these attacks.
You can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line) (but only for >= 2.10.0).
Ensure all devices are patched to their most current version.
Remediation
The following GitHub page has direct links to various vendor updates.
Collected Resources
Github page with links to various vendor updates.
Python script for testing if a device is vulnerable to CVE-2021-44228.
Github page with tested, known vulnerable vendors.
A very thorough writeup with expanded information can be found on techsolvency.com.
This site also includes additional information on impacted and non-impacted vendors as well.