Critical – Vulnerability for Log4j, CVE-2021-44228, Log4Shell, Update #2
Date of Notice: 12/17/2021
Action Level - Critical
MCNC would like to update you on the threat affecting the Java logging utility Log4j. This is being tracked as CVE-2021-44228. Apache documentation here. As new information becomes available, Apache has continued to update their recommendations, and some mitigations that were previously reported are now known to be ineffective. Additionally, the 2.15.0 release included some vulnerabilities, and 2.16.0 release is now the recommended version.
- Previous updates included a mitigation by setting log4j2.formatMsgNoLookups to True.This is now known to be ineffective and is no longer advised.
- Log4j 2.15.0 was found to still be vulnerable to several exploits and should be updated to 2.16.0
- Due to the updated fix released in 2.16.0, vendors may be releasing updated patches for devices or software that have already been declared as fixed or not vulnerable. It is recommended to watch for relevant vendor updates even if you have previously determined your devices are not vulnerable.
While no exhaustive list has been collected, the following page contains known tested software and its vulnerability status. Even if a given device isn’t on this page, assume it is vulnerable until proven otherwise.
Any attacker with network access that can pass text to the given device can exploit this vulnerability. This could be an external bad actor interacting with public facing devices or an internal bad actor interacting with any device they have network access to.
This vulnerability is actively being exploited.
- Various A/V and WAF vendors are beginning to roll out detections of these attacks.
- In any Log4j release other than 2.16.0, you may remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Ensure all devices are patched to their most current version.
For Apache Log4j installations, update to release 2.16.0 (for Java 8) or 2.12.2 (for Java 7). If updating is not an option, follow the mitigation steps to remove the JndiLookup class.
The following GitHub page has direct links to various vendor updates.
Apache Log4j Security page, with current information about mitigation & remediation
Github page with links to various vendor updates.
Python script for testing if a device is vulnerable to CVE-2021-44228.
Github page with tested, known vulnerable vendors.
A very thorough writeup with expanded information can be found on techsolvency.com.
This site also includes additional information on impacted and non-impacted vendors as well.