Log4j 2.15.0 and previously suggested mitigations may not be enough
According to a new Apache Log4j security bulletin, version 2.15.0 and the initially suggested mitigation measures do not completely address the Log4Shell in certain custom configurations.
It was discovered that version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc, or %MDC. In these cases, when the attacker manages to control the Thread Context values, JNDI lookup injections may be possible, resulting in JNDI connections. Version 2.15.0 limited JNDI connections to 'localhost’' but this possibility could result in a denial of service (DoS) or worse.
Therefore, a new version (2.16.0) has been made available to completely fix the issue (so far at least) associated with CVE-2021–45046 along with more effective mitigation measures for versions to 2.x versions:
- Java 8 (or later) users should upgrade to release 2.16.0.
- Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
The mitigation measures previously reported, such as setting the log4j2.formatMsgNoLookups variable to ‘true’, is not considered fully effective. The advisory says:
"The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.".
So, if you could not upgrade to versions 2.15.0 or 2.16.0 and followed previous mitigations, you are advised to remove JndiLookup class from the log4j-core jar to mitigate the vulnerability.
The advisory is available at: https://logging.apache.org/log4j/2.x/security.html
--
Renato Marinho
Morphus Labs| LinkedIn|Twitter
Microsoft December 2021 Patch Tuesday
Amidst the unfolding of the Log4Shell vulnerability, more updates have just arrived with Decembers' Microsoft Patch Tuesday. This month we got patches for 83 vulnerabilities. Of these, 7 are critical, 6 were previously disclosed and 1 is being exploited according to Microsoft.
The 0-day is a spoofing vulnerability on the Windows AppX installer (CVE-2021-43890). According to the advisory, Microsoft is aware of attempts to exploit this vulnerability by using specially crafted packages to implant malware families like Emotet, Trickbot, and Bazaloader. An attacker could use malicious attachments in phishing campaigns to exploit the vulnerability and convince the user to open it. Users of the tool are advised to upgrade to the fixed version using the links on the security advisory. The CVSS for the vulnerability is 7.1.
Amongst critical vulnerabilities, the iSNS Server memory corruption vulnerability can lead to remote code execution (CVE-2021-43215). According to the advisory, an attacker could send a specially crafted request to the Internet Storage Name Service (iSNS) server, which could result in remote code execution. The Internet Storage Name Service (iSNS) protocol is not installed by default and is used for interaction between iSNS servers and iSNS clients. The CVSS for this vulnerability is 9.8.
There is also a critical vulnerability affecting Microsoft Office app that can lead to RCE (CVE-2021-43905). According to the advisory, the attack vector is network, the attack complexity is low, and user interaction is required. The CVSS v3 for this vulnerability is 9.6.
In addition to the iSNS, another vulnerability has been associated with this month's highest CVSS - 9.8. It is an RCE on Visual Studio Code WSL Extension (CVE-2021-43907). According to the advisory, the attack vector is network, the attack complexity is low and no user interaction is required to exploit the vulnerability.
See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.
December 2021 Security Updates
| Description | |||||||
|---|---|---|---|---|---|---|---|
| CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
| ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43877 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Bot Framework SDK Remote Code Execution Vulnerability | |||||||
| CVE-2021-43225 | No | No | Less Likely | Less Likely | Important | 7.5 | 6.7 |
| Chromium: CVE-2021-4052 Use after free in web apps | |||||||
| CVE-2021-4052 | No | No | - | - | - | ||
| Chromium: CVE-2021-4053 Use after free in UI | |||||||
| CVE-2021-4053 | No | No | - | - | - | ||
| Chromium: CVE-2021-4054 Incorrect security UI in autofill | |||||||
| CVE-2021-4054 | No | No | - | - | - | ||
| Chromium: CVE-2021-4055 Heap buffer overflow in extensions | |||||||
| CVE-2021-4055 | No | No | - | - | - | ||
| Chromium: CVE-2021-4056: Type Confusion in loader | |||||||
| CVE-2021-4056 | No | No | - | - | - | ||
| Chromium: CVE-2021-4057 Use after free in file API | |||||||
| CVE-2021-4057 | No | No | - | - | - | ||
| Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE | |||||||
| CVE-2021-4058 | No | No | - | - | - | ||
| Chromium: CVE-2021-4059 Insufficient data validation in loader | |||||||
| CVE-2021-4059 | No | No | - | - | - | ||
| Chromium: CVE-2021-4061 Type Confusion in V8 | |||||||
| CVE-2021-4061 | No | No | - | - | - | ||
| Chromium: CVE-2021-4062 Heap buffer overflow in BFCache | |||||||
| CVE-2021-4062 | No | No | - | - | - | ||
| Chromium: CVE-2021-4063 Use after free in developer tools | |||||||
| CVE-2021-4063 | No | No | - | - | - | ||
| Chromium: CVE-2021-4064 Use after free in screen capture | |||||||
| CVE-2021-4064 | No | No | - | - | - | ||
| Chromium: CVE-2021-4065 Use after free in autofill | |||||||
| CVE-2021-4065 | No | No | - | - | - | ||
| Chromium: CVE-2021-4066 Integer underflow in ANGLE | |||||||
| CVE-2021-4066 | No | No | - | - | - | ||
| Chromium: CVE-2021-4067 Use after free in window manager | |||||||
| CVE-2021-4067 | No | No | - | - | - | ||
| Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page | |||||||
| CVE-2021-4068 | No | No | - | - | - | ||
| DirectX Graphics Kernel File Denial of Service Vulnerability | |||||||
| CVE-2021-43219 | No | No | Less Likely | Less Likely | Important | 7.4 | 6.4 |
| HEVC Video Extensions Remote Code Execution Vulnerability | |||||||
| CVE-2021-40452 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| CVE-2021-40453 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| CVE-2021-41360 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability | |||||||
| CVE-2021-43899 | No | No | Less Likely | Less Likely | Critical | 9.8 | 8.5 |
| Microsoft BizTalk ESB Toolkit Spoofing Vulnerability | |||||||
| CVE-2021-43892 | No | No | - | - | Important | 7.4 | 6.7 |
| Microsoft Defender for IOT Elevation of Privilege Vulnerability | |||||||
| CVE-2021-42312 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Microsoft Defender for IoT Information Disclosure Vulnerability | |||||||
| CVE-2021-43888 | No | No | Less Likely | Less Likely | Important | 7.5 | 7.0 |
| Microsoft Defender for IoT Remote Code Execution Vulnerability | |||||||
| CVE-2021-42310 | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| CVE-2021-42311 | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| CVE-2021-42313 | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| CVE-2021-42314 | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| CVE-2021-42315 | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| CVE-2021-43882 | No | No | Less Likely | Less Likely | Important | 9.0 | 7.8 |
| CVE-2021-43889 | No | No | Less Likely | Less Likely | Important | 7.2 | 6.7 |
| CVE-2021-41365 | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| Microsoft Excel Remote Code Execution Vulnerability | |||||||
| CVE-2021-43256 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | |||||||
| CVE-2021-42293 | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
| Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability | |||||||
| CVE-2021-43216 | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
| Microsoft Message Queuing Information Disclosure Vulnerability | |||||||
| CVE-2021-43222 | No | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| CVE-2021-43236 | No | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| Microsoft Office Graphics Remote Code Execution Vulnerability | |||||||
| CVE-2021-43875 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Microsoft Office Trust Center Spoofing Vulnerability | |||||||
| CVE-2021-43255 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Microsoft Office app Remote Code Execution Vulnerability | |||||||
| CVE-2021-43905 | No | No | More Likely | More Likely | Critical | 9.6 | 8.6 |
| Microsoft PowerShell Spoofing Vulnerability | |||||||
| CVE-2021-43896 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||||
| CVE-2021-42294 | No | No | Less Likely | Less Likely | Important | 7.2 | 6.3 |
| CVE-2021-42309 | No | No | Less Likely | Less Likely | Important | 8.8 | 7.7 |
| Microsoft SharePoint Server Spoofing Vulnerability | |||||||
| CVE-2021-42320 | No | No | Less Likely | Less Likely | Important | 8.0 | 7.0 |
| CVE-2021-43242 | No | No | Less Likely | Less Likely | Important | 7.6 | 6.6 |
| NTFS Set Short Name Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43240 | Yes | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
| Remote Desktop Client Remote Code Execution Vulnerability | |||||||
| CVE-2021-43233 | No | No | More Likely | More Likely | Critical | 7.5 | 6.5 |
| Storage Spaces Controller Information Disclosure Vulnerability | |||||||
| CVE-2021-43227 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| CVE-2021-43235 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| SymCrypt Denial of Service Vulnerability | |||||||
| CVE-2021-43228 | No | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| VP9 Video Extensions Information Disclosure Vulnerability | |||||||
| CVE-2021-43243 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Visual Basic for Applications Information Disclosure Vulnerability | |||||||
| CVE-2021-42295 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Visual Studio Code Remote Code Execution Vulnerability | |||||||
| CVE-2021-43891 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Visual Studio Code Spoofing Vulnerability | |||||||
| CVE-2021-43908 | No | No | Less Likely | Less Likely | Important | ||
| Visual Studio Code WSL Extension Remote Code Execution Vulnerability | |||||||
| CVE-2021-43907 | No | No | Less Likely | Less Likely | Critical | 9.8 | 8.5 |
| Web Media Extensions Remote Code Execution Vulnerability | |||||||
| CVE-2021-43214 | No | No | Less Likely | Unlikely | Important | 7.8 | 6.8 |
| Windows AppX Installer Spoofing Vulnerability | |||||||
| CVE-2021-43890 | Yes | Yes | Detected | Detected | Important | 7.1 | 6.2 |
| Windows Common Log File System Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43226 | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| CVE-2021-43207 | No | No | More Likely | More Likely | Important | 7.8 | 6.8 |
| Windows Common Log File System Driver Information Disclosure Vulnerability | |||||||
| CVE-2021-43224 | No | No | Less Likely | Less Likely | Important | 5.5 | 4.8 |
| Windows Digital Media Receiver Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43248 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Digital TV Tuner Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43245 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43893 | Yes | No | Less Likely | Less Likely | Important | 7.5 | 6.5 |
| Windows Encrypting File System (EFS) Remote Code Execution Vulnerability | |||||||
| CVE-2021-43217 | No | No | Less Likely | Less Likely | Critical | 8.1 | 7.1 |
| Windows Event Tracing Remote Code Execution Vulnerability | |||||||
| CVE-2021-43232 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Fax Service Remote Code Execution Vulnerability | |||||||
| CVE-2021-43234 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Hyper-V Denial of Service Vulnerability | |||||||
| CVE-2021-43246 | No | No | Less Likely | Less Likely | Important | 5.6 | 4.9 |
| Windows Installer Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43883 | Yes | No | More Likely | More Likely | Important | 7.8 | 7.0 |
| Windows Kernel Information Disclosure Vulnerability | |||||||
| CVE-2021-43244 | No | No | Less Likely | Less Likely | Important | 6.5 | 5.7 |
| Windows Media Center Elevation of Privilege Vulnerability | |||||||
| CVE-2021-40441 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Mobile Device Management Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43880 | Yes | No | More Likely | More Likely | Important | 5.5 | 4.8 |
| Windows NTFS Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43229 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| CVE-2021-43230 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| CVE-2021-43231 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Print Spooler Elevation of Privilege Vulnerability | |||||||
| CVE-2021-41333 | Yes | No | More Likely | More Likely | Important | 7.8 | 7.2 |
| Windows Recovery Environment Agent Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43239 | No | No | Less Likely | Less Likely | Important | 7.1 | 6.2 |
| Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43223 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Remote Access Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43238 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows Setup Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43237 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| Windows TCP/IP Driver Elevation of Privilege Vulnerability | |||||||
| CVE-2021-43247 | No | No | Less Likely | Less Likely | Important | 7.8 | 6.8 |
| iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution | |||||||
| CVE-2021-43215 | No | No | More Likely | More Likely | Critical | 9.8 | 8.5 |
--
Renato Marinho
Morphus Labs| LinkedIn|Twitter
Log4j: Getting ready for the long haul (CVE-2021-44228)
Friday (Dec. 10th), we moved our Infocon to "Yellow" for the first time in about two years. We saw an immediate need to get the word out as the log4shell vulnerability ( CVE-2021-44228) was actively exploited and affected various widely used products. Patches and workarounds were not readily available at the time. Our Infocon indicates "change," not "steady-state." By now, everybody in infosec knows about log4shell. This morning I noticed that even cnn.com had log4j/log4shell mentioned at the top of the page. Once CNN covers an infosec topic like this: It should be old news for anybody "in the field."
We are now moving our "Infocon" back to "green."
Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term.
Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don't think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.
As of this writing, log4j 2.16 is the officially fixed version. log4j 2.15 was the initial fix, with 2.16 fixing some issues with pattern formatters that could still expose you to JNDI lookups.
Here are a few resources about log4j/log4shell:
RCE in Log4j / Log4Shell or how things can get bad quickly
https://isc.sans.edu/forums/diary/RCE+in+log4j+Log4Shell+or+how+things+can+get+bad+quickly/28120/
Log4Shell Exploited to Implant Coin Miners
https://isc.sans.edu/forums/diary/Log4Shell+exploited+to+implant+coin+miners/28124/
Log4Shell Live Stream
https://www.youtube.com/watch?v=oC2PZB5D3Ys
Log4Shell Followup: What we see and how to defend, and how to access our data
https://isc.sans.edu/forums/diary/Log4j+Log4Shell+Followup+What+we+see+and+how+to+defend+and+how+to+access+our+data/28122/
Log4j Zero-Day
https://www.lunasec.io/docs/blog/log4j-zero-day/
List of Vendor Bulletins
https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
List of Vulnerable Software
https://github.com/NCSC-NL/log4shell/tree/main/software
Official log4j Website
https://logging.apache.org/log4j/2.x/
log4j 2.16 Update which fixes some remaining JNDI related issues
https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3221?filter=allissues
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments