My next class:

Log4j: Getting ready for the long haul (CVE-2021-44228)

Published: 2021-12-14. Last Updated: 2021-12-14 13:07:59 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Friday (Dec. 10th), we moved our Infocon to "Yellow" for the first time in about two years. We saw an immediate need to get the word out as the log4shell vulnerability ( CVE-2021-44228) was actively exploited and affected various widely used products. Patches and workarounds were not readily available at the time. Our Infocon indicates "change," not "steady-state." By now, everybody in infosec knows about log4shell. This morning I noticed that even cnn.com had log4j/log4shell mentioned at the top of the page. Once CNN covers an infosec topic like this: It should be old news for anybody "in the field."

We are now moving our "Infocon" back to "green."

Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term. 

Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don't think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.

As of this writing, log4j 2.16 is the officially fixed version. log4j 2.15 was the initial fix, with 2.16 fixing some issues with pattern formatters that could still expose you to JNDI lookups.

Here are a few resources about log4j/log4shell:

RCE in Log4j / Log4Shell or how things can get bad quickly
https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/

Log4Shell Exploited to Implant Coin Miners
https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/

Log4Shell Live Stream
https://www.youtube.com/watch?v=oC2PZB5D3Ys

Log4Shell Followup: What we see and how to defend, and how to access our data
https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/

Log4j Zero-Day
https://www.lunasec.io/docs/blog/log4j-zero-day/

List of Vendor Bulletins
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592

List of Vulnerable Software
https://github.com/NCSC-NL/log4shell/tree/main/software

Official log4j Website
https://logging.apache.org/log4j/2.x/

log4j 2.16 Update which fixes some remaining JNDI related issues
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3221?filter=allissues

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

1 comment(s)
My next class:

Comments

Thanks for everyone's collective work on this at ISC. Changing the infocon status is how I was alerted. I would have come across it eventually but much later in the day probably. This worked as intended and I don't miss the days where this changed pretty frequently.

Diary Archives