CyRC Vulnerability Analysis: Remote code execution zero-day exploit in Java logging library (log4j2)

The Synopsys Cybersecurity Research Center (CyRC) has issued a corresponding Black Duck® Security Advisory (BDSA), and assigned a CVSS score of 9.4, with links to proof-of-concept exploits.


Click the video above for an analysis of the Log4j vulnerability.

A dangerous, zero day exploit has been identified in Log4j, a popular Java logging library.

Apache Log4j/Log4j2 is broadly used within the Java community to implement application logging. As Log4j is a de facto standard within the Java community, it’s likely that most Java applications use it as their log interface.

The NVD has assigned CVE-2021-44228 to this vulnerability, which impacts Apache Log4j2 versions from 2.0-beta9 to 2.14.1. In these versions, Java naming and directory interface (JNDI) features are not protected against attacker-controlled LDAP or JNDI endpoints. If message substitution is enabled, an attack can trigger remote code execution (RCE) for arbitrary code loaded from the attacker-controlled LDAP servers.

The Synopsys Cybersecurity Research Center (CyRC) has issued a corresponding Black Duck® Security Advisory (BDSA), and assigned a CVSS score of 9.4, with links to proof-of-concept exploits. This information enables users to quickly identify where they have exposure to this vulnerability without requiring any rescanning of their applications. This will simplify the triage, validation, and remediation efforts.

Excerpts from the BDSA record

Black Duck Security Advisory record | Synopsys

Apache Log4j2, as used in many popular services, is vulnerable to improperly allowing lightweight directory access protocol (LDAP) access via Java naming and directory interface (JNDI) features. A remote attacker that supplies the end application with specially crafted input that is then processed by the Log4j2 subcomponent could cause the execution of arbitrary Java code.

How to fix it

Per suggested by Apache Log4j Security vulnerability post:

Log4j 2.x mitigation: Implement one of the mitigation techniques below.

  • Java 8 (or later) users should upgrade to release 2.16.0.
  • Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
  • Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Update as of December 15, 2021

BDSA-2021-3779/ CVE-2021-45046

BDSA-2021-3779 Description

Log4j is vulnerable to a denial-of-service (DoS) condition. This vulnerability was discovered due to an incomplete fix for CVE-2021-44228. Under certain non-default Log4j configurations, it is possible for an attacker to input malicious JNDI lookup patterns that will result in a DoS.

Successful attacks require the attacker to have access to Thread Context Map (MDC) input and Log4j to use a non-default pattern layout.

Only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

Note: Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Previous mitigations involving configuration such as setting the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability. This can lead to a bypass for the mitigation for CVE-2021-44228.

Description from Apache
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
Severity: Moderate
Base CVSS Score: 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
Versions Affected: all versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

How Synopsys helps

With Black Duck software composition analysis (SCA), all the open source used in your applications is identified, cataloged, and continuously monitored for newly disclosed vulnerabilities. Should a vulnerability be discovered, our team of security researchers works to compile, confirm, and augment any related information before issuing a security advisory to all affected customers. These advisories contain the details necessary to understand, prioritize, and remediate vulnerabilities within the context of your applications, and they’re issued within hours of a vulnerability being disclosed.

Six actions to take now and how Synopsys can help

Detecting Log4j (Log4Shell): Mitigating the impact on your organization

Originally posted on December 10, 2021, updated on December 15, 2021.

 
Jagat Parekh

Posted by

Jagat Parekh

Jagat Parekh

Jagat Parekh is an engineering director with the Synopsys Software Integrity Group. He is Spearheading the Engineering teams that builds The Black Duck KnowledgeBase™—the most comprehensive database of open-source component, vulnerability, and license information. He engages with various technical and business communities to understand how application security is evolving with ever-expanding attack surfaces and increasingly sophisticated threats. He specializes in building mission critical, Scalable SaaS products leveraged by enterprise customers with proven track record of record up-time with enormous capacity to process Petabytes of Data consistently. With Masters Degrees in Computer Science from Syracuse University, Master of Liberal arts from Harvard University & 15+ years of building Information Security products, he possess unique combination of Engineering, Management and business vision. He manages global team of 50 Software Engineers, Architects and Managers. The portfolio of extensive set of Cybersecurity products he has built includes Data Loss Prevention (DLP), Vulnerability Risk management, Security Incident & Event Management (SIEM), Governance Risk & Compliance (GRC). All of them are consistently recognized in leader’s quadrant by Gartner MQ and Forrester-wave as industry leader. Recent proliferation in Software Supply Chain attacks and overall state of cybersecurity is of keen interest to him.


More from Open source and software supply chain risks