Number: AL21-019 - Update 7
Date: December 10, 2021
Updated: December 29, 2021
Audience
This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Overview
On 10 December 2021, Apache released a Security Advisory Footnote 1Footnote 2 highlighting a critical remote code execution vulnerability in Log4j, a widely deployed Java-based logging utility. Open-source reporting indicates that active scanning and exploitation of this vulnerability have been observed.
Details
On 10 December 2021, Apache released a Security Advisory Footnote 1Footnote 2 highlighting a critical remote code execution vulnerability in Log4j, affecting versions between 2.0-beta9 to 2.14.1. The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device.
Open-source reporting indicates that the critical vulnerability, tracked as CVE-2021-44228 Footnote 3, is actively being scanned for and exploited. Due to the Log4j library’s widespread use in popular frameworks, many third-party apps may also be vulnerable to exploitation. In addition, Log4j is often used in enterprise Java software and is also included in several Apache frameworks including but not limited to: Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Other Java frameworks also include it in their libraries, including but not limited to: Netty, MyBatis and the Spring Framework. Footnote 4
Update 1
The Apache Log4j library allows for developers to log output from various data sources within their applications. In certain circumstances, the data being logged originates from user input. Notably, it supports Java Naming and Directory Interface (JNDI) features, which it leverages in configuration, logging messages and parameters. In vulnerable versions of Log4j, logged user data containing JNDI lookups to actor-controlled endpoints could be performed, which would result in the server loading and executing arbitrary code from the endpoint.
The Cyber Centre strongly encourages organizations internally review potentially impacted applications. While non-exhaustive, community sources are assisting in these efforts with the identification of impacted products. Footnote 8
Apache has released Log4j version 2.15, which addresses this vulnerability. In addition, Apache has provided workarounds for previous releases when upgrading is not possible.
Update 2
It has been determined that Log4j 2.15.0 may still be vulnerable under certain non-default configurations. Apache has released Log4j version 2.16.0 to address this latest vulnerability, which is tracked as CVE-2021-45046. Footnote 1
Update 3
The Cyber Centre assesses that organizations who have already patched to 2.15.0 and use a standard configuration can follow standard patching processes for updating to 2.16.0. Organizations who have not updated yet should update to 2.16.0 or apply the suggested mitigation if updating is not immediately possible.
NCSC-NL, with the help of the security community, has compiled a robust source of information regarding the Log4j vulnerability including but not limited to indicators of compromise, mitigation advice and affected software.Footnote 9 Additionally, CISA’s guidance is a valuable source of information.Footnote 10
Update 4
On 17 December 2021 Apache updated its assessment of the severity and impact of CVE-2021-45046 to critical, remote code execution. Footnote 1
Update 5
On 17 December 2021 Apache released Log4j 2.17 to address a denial of service (DOS) vulnerability in versions 2.0-alpha1 through 2.16.0 (Java 8). This vulnerability has been assigned CVE-2021-45105 and has been rated CVSS 7.5. Footnote 1
Update 6
On 22 December 2021 Apache released Log4j 2.12.3 for Java 7 users and 2.3.1 for Java 6 users to address currently known vulnerabilities and harden JNDI functionality. Footnote 1 The Cyber Centre encourages users of Java 6 and 7 to upgrade to a later version of Java as public support for these versions has ended.
In addition, the Cyber Centre has collaborated with its international counterparts to release “Joint cybersecurity advisory on mitigating Log4Shell and other Log4j-related vulnerabilities.” Footnote 12
Update 7
On 28 December 2021 Apache released Log4j version 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6) to address a vulnerability in versions prior to 2.17.1 (Java 8), 2.1.4 (Java 7) and 2.1.3 (Java 6). This vulnerability has been assigned CVE-2021-44832 and a CVSS 6.6. Exploitation of this vulnerability would require that an actor have permission to modify a specific configuration file on an affected system in order to achieve remote code execution. Footnote 1
Suggested action
The Cyber Centre encourages those organizations with applications leveraging Apache Log4j to:
- Update 7 (Java 8): Cyber Centre recommends upgrading to Log4j version 2.16 or later as soon as possible.
- Update 7 (Java 7): Cyber Centre recommends that Java 7 users refer to Apache for specific actions and consider upgrading to a later version of Java. Footnote 1 Log4j version 2.1.4 has been released.
- Update 7 (Java 6): Cyber Centre recommends that Java 6 users refer to Apache for specific actions and consider upgrading to a later version of Java. Footnote 1 Log4j version 2.3.2 has been released.
-
Update 6: If upgrading is not immediately possible, consider applying the suggested mitigation from Apache. Footnote 1
- Check logs for signs of compromise.
Additional vendors affected by the reported vulnerabilities may also release security advisories related to their impacted products.
Detection
Identify Java Naming and Directory Interface (JNDI) lookups in upstream logs to verify for potential impact or exploit attempts. Footnote 5Footnote 6
Verify traffic from known scanning IP addresses Footnote 7 by checking firewall logs.
Update 1.1
Mitigation
Apache recommends the following mitigations if patching cannot be immediately performed: Footnote 1
In Log4j versions >= 2.10, the vulnerable behavior can be mitigated by setting the system property “log4j2.formatMsgNoLookups” to “true”. Alternatively, the environment variable “LOG4J_FORMAT_MSG_NO_LOOKUPS” can be set to “true” in order to mitigate this behavior.- Update 2: This mitigation measure has been discredited according to Apache. Footnote 1
- For Log4j versions < 2.16.0, the mitigation is to remove the JndiLookup class from the classpath by running the following command.
- “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class”
- Update 2: This mitigation measure has been expanded to include all versions of Log4j < 2.16.0. Footnote 1
- Update 5: For Log4j versions < 2.17.0, the mitigation for CVE-2021-45105 is to remove or replace references to Context Lookups in the configuration.
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). Footnote 1
- Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. Footnote 1
Should activity matching the content of this Alert be discovered, recipients are encouraged to contact the Cyber Centre through My Cyber Portal, by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).