Saturday, December 11, 2021

Log4j vulnerability (aka, Log4Shell, CVE-2021-44228) Updates

  • Advisory

The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review the Apache Log4j 2.15.0 Announcement and upgrade to Log4j 2.15.0 or apply the recommended mitigations immediately.

At this point, 4 CVEs have been released regarding Log4j Vulnerability (aka, Log4Shell – CVE-2021-44228).
CVE-202-44228 (CVSS 10.0, Critical): the original zero-day, a vulnerability which can attacker allow for remote execute code (RCE) through log messages in Log4j 2.x version.
CVE-2021-45046 (CVSS 3.7, Low): A vulnerability that allows an attacker to generate a Denied of Service (DoS) error through log messages, aka, “incomplete fix.”
▶ CVE-2021-45105 (CVSS 7.5, High): Apache Log4j is prone to a Denial-of-Service(DoS) vulnerability while parsing certain crafted HTTP requests.
CVE-2021-4104 (CVSS 8.1, High): A vulnerability found in JMSAppender, another component of Log4j, that allows remote code execution (RCE) through log messages.

▶ CISA's Apache Log4j Vulnerability Guidance

* Reference articles:

  • Vulnerability Details

<Image from govcert>

  • Scanner

  • Security Vendors

▶ Palo Alto Networks
Next-Generation Firewalls with a Threat Prevention security subscription can automatically block sessions related to this vulnerability using Threat IDs -
- 91991 (initially released using Applications and Threat content update version 8498 and further enhanced with version 8499). Additionally, attacker infrastructure is continuously being monitored and blocked.
- 91994 and 91995 (released using Applications Threat content version 8500).

▶ Fortinet


▶ Splunk

  • Indicator of Compromise (IoC)

Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j

▶ GreyNoise is providing IOCs for CVE-2021-44228 Apache Log4j RCE attempts on Github.
C2/Callback domains here.
Latest IPs here.

Microsoft Threat Intelligence Center (MSTIC) has provided a list of IOCs related to this attack and will update them with new indicators as they are discovered.

No comments: