December 20, 2021
Security Alert Log4j Update #2
Dated 12.20.21

Executive Summary

Apache Log4j, dubbed CVE-2021-44228, is an open-source logging utility in almost all major Java-based applications and servers. Currently running on 3 billion devices worldwide, Log4j has been exposed to a high-risk vulnerability underactive and vigorous exploitation.

12.20.2021 Update

A new vulnerability has been identified in version 2.16 of Apache Log4j dubbed CVE-2021-45105. The vulnerability affects the 2.16 patch that addressed the Remote Code Execution (RCE) vulnerability in versions of Log4j prior to 2.1.16 (CVE-2021-45046 and CVE-2021-44228). While not as critical as the RCE, a threat actor can launch a Denial-of-Service attack against the application, or with locale access, execute commands as seen in the RCE.  This vulnerability impacts only log4j-core JAR files.  Applications using only log4j-api JAR without log4j-core are not affected.

 


 

 

Recommendations

  • If possible, update to Log4j version 2.17.0
  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC)
  • Remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input
  • Disable LDAP lookups

 

 


 

Source

  1. https://logging.apache.org/log4j/2.x/security.html

 

For additional information, contact:

Dan Gregory
VP | System Engineering, CBI
dgregory@cbisecure.com | 313.649.4611

About the Author
CBI | Cybersecurity Solutions
CBI Cybersecurity
CBI is a leading cybersecurity advisor to many of the world’s top tier organizations. Founded in 1991, CBI provides innovate, flexible and customizable solutions that help ensure data is secure, compliant and available. We engage in an advisory-led approach to safeguard our clients against the ever-changing threat landscape—giving them comprehensive visibility into their entire security program and helping them avoid cyber challenges before they can impact their data, business and brand. We are dedicated to the relentless pursuit of mitigating risks and elevating corporate security for a multitude of industries and companies of all sizes.
I Need To...