On 18th December, a security researcher from Akamai disclosed a new high severity vulnerability (CVE-2021-45105) in Log4j that could lead to Denial of Service attacks. This vulnerability has been added as a third new vulnerability after CVE-2021-44228 and CVE-2021-45046 in Log4j for the past two weeks. Considering the growing development, it is highly recommended to follow up on the threat and take intimidating actions to overcome the threat. Let’s see how to fix CVE-2021-45105- A new high severity vulnerability in Log4j.
Table of Contents
Summary Of CVE-2021-45105- A New High Severity Vulnerability:
This high severity vulnerability is due to infinite recursion from self-referential lookups in Thread Context Map (MDC). Apache Foundation said the vulnerability allows attackers to craft malicious input data containing a recursive lookup that leads to StackOverflowError and process termination, which could be a denial of service.
Apache said, “Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.”
| Associated CVE ID | CVE-2021-45105 |
| Description | Denial of Service vulnerability in Log4j Logging Library due to infinite recursion in lookup evaluation |
| Severity | High |
| Associated ZDI ID | ZDI-21-1541 |
| CVSS Score | 7.5 |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Impact Score | NA |
| Exploitability Score | NA |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | None |
| Integrity (I) | None |
| Availability (a) | High |
Log4j Versions Vulnerable To The CVE-2021-45105 Vulnerability:
All the versions starting from 2.0-alpha1 to version 2.16.0 are vulnerable to the CVE-2021-45105 stack overflow vulnerability.
Log4j version 1.x is not affected by the flaw. However, it was affected by a different CVE-2019-1757remote code execution vulnerability.
Who Are Impacted By The CVE-2021-45105 Vulnerability?
It impacts almost all the products that use the Log4j logger service. Most likely, it impacts all the applications as like in CVE-2021-44228 and CVE-2021-45046 vulnerabilities such as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Apache Solr, Apache Druid, Apache Flink, Apache Struts2, flume, Dubbo, IBM Qradar SIEM, PaloAlto Panorama, Redis, logstash, ElasticSearch, Kafka, ghidra, ghidra server, Minecraft, PulseSecure, UniFi, VMWare, Blender, Google, Webex, LinkedIn, VMWarevCenter, Speed camera LOL, and more. Wait, the list is not reached the end. Please visit the link, which has a comprehensive list of the vulnerable application.
Rather than going through the list, it is good to get your application tested with the vendor.
Other Log4j Vulnerabilities In 2021:
- A Critical 0-day Unauthenticated Remote Code Execution vulnerability in Log4j Logging Library (CVE-2021-44228) allows attackers to carry out unauthenticated, remote code execution attacks.
- A new vulnerability (CVE-2021-45046) Log4j library allows attackers to perform denial of service (DOS) attacks by crafting malicious input data using a JNDI Lookup pattern.
How To Fix CVE-2021-45105- A New Vulnerability Log4j?
If you are still running 1.x version, ASF urges you to upgrade it to the latest version. The best permanent fix is to upgrade version 2.17.0 and higher. Ask your developer team to rebuild the project package with the new version of Log4j. If in case you have this vulnerability found on third-party apps, get in their touch and ask to validate and release the permanent fix CVE-2021-45105 vulnerability.
Vendor’s Guidelines to Fix CVE-2021-45105 Vulnerability:
- Broadcom’s Symantec Enterprise blog
- Cisco Talos Intelligence Group
- Cloudflare Blog
- CrowdStrike blog
- IBM Security Intelligence blog
- VMWare Threat Research
- Mandiant blog
- Microsoft blog
- Palo Alto Networks blog
- Splunk’s blog
- Tenable blog
- VMware Blog
It is not enough to wait until the Vendors release the updates. Organizations should take some precautions to protect their network from CVE-2021-45105 vulnerability.
- Block the Log4Shell IOCs on your firewalls, Proxies, EndPoints, and any security monitoring solutions and keep track of them if any connection is established/observed with them in the Infrastructure.
- Isolate the suspected system from the network and keep monitoring the activities.
- Configure your Vulnerability scan tools like NexPose, Nessus, or QualysGuard and run automated Vulnerability scans.
- Disable JNDI on all the servers running Log4j. If unable to disable Log4j, then block all the JNDI requests to untrusted servers.
- Please watch the Apache Log4j Security Vulnerabilities webpage page for new updates on the Log4Shell vulnerabilities and try implementing them.
Those who can’t upgrade the Log4j library can follow these mitigation tips shared by ASF.
- Replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC) in PatternLayout in the logging configuration,
- Otherwise, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} in the configuration where they originate from sources external to the application such as HTTP headers or user input.
Note: United States Cybersecurity and Infrastructure Security Agency (CISA) has also added the Log4j vulnerabilities to the Known Exploited Vulnerabilities Catalog. Note that only the log4j-core JAR file is affected by this vulnerability. Applications using only the log4j-API JAR file without the log4j-core JAR file are not impacted by this vulnerability. And, other projects like Log4net and Log4cxx are not impacted by this.
This is how you need to fix the CVE-2021-45105 Log4j Vulnerability on your affected servers.
We hope this post will let you know how to fix CVE-2021-45105- A new high severity vulnerability in Log4j. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270105.html