Last Update 20.12.2021
Cisco and other vendors have published critical security advisories about a vulnerability in log4j:
Cisco:
VMware:
Palo Alto Networks:
Splunk:
Commvault:
NetApp:
Dell Technologies:
MITIGATIONS
Update 20.12.2021
A third Log4j2 vulnerability (CVE-2021-45105) was disclosed by the Apache security team.
According to the security advisory, 2.16.0 is susceptible to a DoS attack.
CVE-2021-45105 (High, CVSS score: 7.5) | Apache Log4j Lookup Denial of Service
Apache Log4j versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. Versions prior to 2.17.0 are susceptible to a vulnerability when the logging configuration uses a non-default Pattern Layout with a Context Lookup. When successfully exploited this could allow attackers with control over Thread Context Map (MDC) input data to craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This issue was fixed in Log4j 2.17.0 and 2.12.3.
Remediating CVE-2021-45105
It is highly recommended for users of Log4j to upgrade to the latest 2.17.0 version.
If it is not possible at the moment, make sure your Log4j version is at least upgraded to 2.16.0, and ensure you are not using any Context lookups of the form: ${ctx:username}
You can switch such lookups into Thread Context Map patterns, such as: %X, %mdc, or %MDC
If Context Lookups are mandatory, ensure that there are no such lookups that reference data that is user-controlled in any way.
Update 16.12.2021
Apache released version 2.16.0 which completely disables JNDI functionality by default. This additional update was released because according to Apache the mitigations for CVE-2021-44228 from version 2.15.0 were “incomplete in certain non-default configurations” which could result in DOS attacks.
General
Talos encourages all customers to investigate their internal and third-party usage of Log4j for vulnerable configurations and take remediation actions. If you are uncertain or unable to determine if your implementation is vulnerable, patch aggressively.
If it’s not possible to update them, the Apache Foundation recommends the following mitigations:
- Users of Log4j 2.10 or greater may add -Dlog4j.formatMsgNoLookups=true as a command-line option or add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath to prevent lookups in log event messages.
- Users since Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to prevent lookups in log event messages.
- Remove the JndiLookup and JndiManager classes from the log4j-core jar. Removal of the JndiManager will cause the JndiContextSelector and JMSAppender to no longer function.
For details and updates please visit the corresponding CISCO SECURITY ADVISORY or contact us via support@nts.eu.
