As we know, a significant Log4j Remote Code Execution (RCE) vulnerability has had a patch released and tracked as CVE-2021-44228. However, the patch was not entirely effective at mitigating the risk due to CVE-2021-45046, the lack of completion in some non-default configurations. The latest patch, Log4j 2.16.0, removes support for message lookup patterns and disables JNDI functionality by default altogether. While CVE-2021-44228 simply disabled the ability to control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Furthermore, for prior releases (<2.16.0) this issue can also be mitigated by removing the JndiLookup class from the classpath.
Why is it noteworthy?
Log4j is practically omnipresent in the world of websites and all things Java. It was used to log information for the web applications developers created in efforts to aid with debugging and for other tracking purposes. LDAP, RMI and other JNDI endpoints can be used as avenues to execute arbitrary code from a threat actor utilizing the Log4j vulnerability. Many malicious actors and threat groups are using this vulnerability to gain unauthorized access. Many believe due to the magnitude of the vulnerability the detections confirmed will continue to grow and mitigation will be a slower than usual process. Furthermore, NIST has given this vulnerability a base score of 10, ten being the most critical.
What are the recommendations?
Barracuda MSP has implemented custom rules to detect this exploit in its SKOUT Managed XDR Log and Network Security Monitoring solutions and recommends applying this patch immediately to protect your organization.
If your organization uses Apache log4j, they should upgrade to Log4j 2.16.0 immediately.
Additionally, it is up to certain vendors to apply this patch to their applications, so keep an eye out for any application updates. This resource is tracking vulnerable components/applications: https://github.com/YfryTchsGD/Log4jAttackSurface
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.zdnet.com/article/second-log4j-vulnerability-found-apache-log4j-2-16-0-released/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
- https://www.kb.cert.org/vuls/id/930724
- https://nvd.nist.gov/vuln/detail/CVE-2021-44228#vulnCurrentDescriptionTitle
- https://www.f5.com/labs/articles/threat-intelligence/explaining-the-widespread-log4j-vulnerability
This post was based on a threat advisory issued by our Barracuda Managed XDR team. For more info on how to best prepare your MSP business to protect clients from cyberthreats, visit the Barracuda Managed XDR page.