Dated 12.20.21
Executive Summary
Apache Log4j, dubbed CVE-2021-44228, is an open-source logging utility in almost all major Java-based applications and servers. Currently running on 3 billion devices worldwide, Log4j has been exposed to a high-risk vulnerability underactive and vigorous exploitation.
12.20.2021 Update
A new vulnerability has been identified in version 2.16 of Apache Log4j dubbed CVE-2021-45105. The vulnerability affects the 2.16 patch that addressed the Remote Code Execution (RCE) vulnerability in versions of Log4j prior to 2.1.16 (CVE-2021-45046 and CVE-2021-44228). While not as critical as the RCE, a threat actor can launch a Denial-of-Service attack against the application, or with locale access, execute commands as seen in the RCE. This vulnerability impacts only log4j-core JAR files. Applications using only log4j-api JAR without log4j-core are not affected.
Recommendations
- If possible, update to Log4j version 2.17.0
- In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC)
- Remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input
- Disable LDAP lookups
Source
For additional information, contact:
Dan Gregory
VP | System Engineering, CBI
dgregory@cbisecure.com | 313.649.4611
