Hackerss.com

Hackerss.com is a community of amazing hackers

Hackerss is a community for developers, data scientitst, ethical hackers, hardware enthusiasts or any person that want to learn / share their knowledge of any aspect of digital technology.

Create account Log in
Cover image for Critical Vulnerability Apache Log4j 2 Solution  CVE-2021-44228
MaxX
MaxX

Posted on • Updated on

Critical Vulnerability Apache Log4j 2 Solution CVE-2021-44228

On December 9, 2021 a Log4j 2 Vulnerabitlity was disclosed that allows an attacker to execute code on the affected server / device. It's a very high vulenarability because Java with Log4j is used in a lot of places and is needed to patch ASAP.


Solution / Fix

The solution can be quite simple for your own application, just upgrade Log4j to version 2.17.0.

2.17.0 Log4j is released now and the changes included are:

  1. Fix string substitution recursion. Fixes LOG4J2-3230.
  2. Limit JNDI to the java protocol only. JNDI will remain disabled by default. Rename JNDI enablement property from 'log4j2.enableJndi' to 'log4j2.enableJndiLookup', 'log4j2.enableJndiJms', and 'log4j2.enableJndiContextSelector'. Fixes
  3. Limit JNDI to the java protocol only. JNDI will remain disabled by default. The enablement property has been renamed to 'log4j2.enableJndiJava'. Fixes LOG4J2-3242.
  4. Do not declare log4j-api-java9 and log4j-core-java9 as dependencies as it causes problems with the Maven enforcer plugin. Fixes LOG4J2-3241.
  5. PropertiesConfiguration.parseAppenderFilters NPE when parsing properties file filters. Fixes LOG4J2-3247.
  6. Log4j 1.2 bridge for Syslog Appender defaults to port 512 instead of 514. Fixes LOG4J2-3249.
  7. Log4j 1.2 bridge API hard codes the Syslog protocol to TCP. Fixes LOG4J2-3237.

2.16.0 Log4j is released now and the changes included are:

  1. Disable JNDI by default. Require log4j2.enableJndi to be set to true to allow JNDI. Fixes LOG4J2-3208.
  2. Completely remove support for Message Lookups. Fixes LOG4J2-3211.

Mitigations

https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0

If you cannot upgrade to 2.15.0 then you can use the following mitigations:

Mitigation 1 :

for Log4j 2.10 or greater

Dlog4j.formatMsgNoLookups=true

Mitigation 2 :

for Log4j 2.7 or greater
Use %m{nolookups} in the PatternLayout

Mitigation 3 :

for any version of Log4j 2
Remove JdniLookup and JdniManager classes from log4j jar


3rd Pary applications

It's highly possible that you have 3rd party applications on your servers / devices that also use Java, you need to update them as well as soon as they release patch. However for some old devices the companies dont update anymore and those devices will remain possible to hack.


List of Some Company / Products affected

  • MineCraft
  • Twitter
  • Amazon
  • Tesla
  • Apple iCloud
  • and more

CloudFlare

CloudFlare is implementing a fix to this issue, because they identified a lot of scanning in their network. First it was only for paying costumers of CloudFlare but they are also considering for all the users.


Discussion (0)