External risk intelligence

Apache Log4j2 Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-44228

Organizations utilizing Apache Log4j2 may face risks due to a vulnerability allowing remote code execution. This could impact systems, data, and operations if exploited by attackers. Mitigation is recommended to address potential business disruption.

5Halo Surface Signal

Deserialization

Siemens 6bk1602 0aa12 0tp0 Firmware

before 2.7.02.0.1 to before 2.3.12.4.0 to before 2.12.22.13.0 to before 2.15.02.0before 2019.12019.1before 10.4.23.04.04.14.25.05.1before 2021-12-133.18.58.68.7;...

External exposure likelihood

Halo Surface Signal score for CVE-2021-44228

This vulnerability impacts a ubiquitous logging library embedded in countless internet-facing applications and services. Because it is frequently integrated into products that process user-controlled input and handle external network traffic, it is a quintessential example of a component that is public-facing by design across the modern internet-connected landscape.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists within the Apache Log4j2 logging utility that could allow attackers to execute arbitrary code. This flaw stems from how the utility handles certain features related to configuration, log messages, and parameters, which do not adequately protect against malicious inputs. The impact on organizations could include unauthorized code execution, leading to significant disruptions and data compromise.

Vulnerable component: Apache Log4j2
Core weakness: Unprotected JNDI features
Main business impact: Arbitrary code execution

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to execute arbitrary code by controlling log messages or parameters. When a system uses a vulnerable version of Apache Log4j2 and processes user-controlled input, an attacker can send specially crafted data. This data, when logged, triggers a lookup for a remote resource. The system then fetches and executes code from that resource, granting the attacker control.

Exposure condition: System processes user-controlled input.
Attacker starting point: Network access.
Trigger and result: Malicious log input leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in Apache Log4j2 presents a significant threat due to its potential for remote code execution. Attackers can exploit this by controlling log messages, enabling them to execute arbitrary code loaded from external LDAP servers. This widespread vulnerability, affecting numerous applications and services, necessitates prompt attention to mitigate business risk. The default behavior has since been disabled in later versions, and the functionality completely removed in subsequent releases, but the initial widespread impact highlights the urgency.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should take immediate steps to address a critical vulnerability in the Apache Log4j2 component, which can allow attackers to execute arbitrary code. This could lead to unauthorized access, data compromise, and disruption of services. The primary focus is on identifying all instances of the affected software, mitigating potential exposure, applying vendor-provided fixes, and verifying that the fixes are effective. Continuous monitoring for related security events is also essential to detect any residual risk or new threats.

Identify all affected assets.
Reduce exposure or isolate risk.
Fix, verify, and monitor.

Frequently asked questions

What is the Apache Log4j2 vulnerability, identified as CVE-2021-44228?

CVE-2021-44228 is a critical vulnerability in Apache Log4j2 versions 2.0-beta9 through 2.15.0. It allows attackers to execute arbitrary code by controlling log messages or parameters, which are then processed through JNDI lookups via LDAP or other related endpoints. This issue has been addressed in later versions of Log4j2, with functionality removed in version 2.16.0 and its backported releases.

How does the Log4j2 vulnerability (CVE-2021-44228) allow for code execution?

The vulnerability stems from Log4j2's use of JNDI (Java Naming and Directory Interface) features within its logging. When message lookup substitution is enabled, an attacker can craft a malicious input (e.g., in a user-controlled log message) that, when logged by Log4j2, triggers a JNDI lookup to a remote LDAP server. This server can then return a malicious Java class that the vulnerable application will load and execute, leading to arbitrary code execution.

What specific weakness classes are associated with CVE-2021-44228?

CVE-2021-44228 is associated with several Common Weakness Enumerations (CWEs). These include CWE-20 (Improper Input Validation), which is a general weakness, and more specifically, CWE-400 (Uncontrolled Resource Consumption), CWE-502 (Desecurity Deserialization), and CWE-917 (Use of Out-of-band or Older Channel for a Secure Operation), reflecting the JNDI lookup and remote code execution aspects of the vulnerability.

Why is CVE-2021-44228 considered a very likely threat with widespread impact?

This vulnerability is considered a very likely threat because the Log4j2 library is widely used across numerous internet-facing applications and services. Its common integration into systems that process user input and handle network traffic makes it a prime target. The ease of exploitation and severe impact (remote code execution) contribute to its high risk profile.

What actions should be taken to respond to the Apache Log4j2 vulnerability?

The recommended response to CVE-2021-44228 is to apply updates to Log4j2 to versions where the vulnerability is fixed, or to remove affected assets from networks if updates are unavailable. Temporary mitigations can be employed, but updating is the preferred and most secure remediation. It is crucial to identify all instances of vulnerable Log4j2 versions within your environment.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia, ransomware, threatActor

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.