Action Needed: Critical Vulnerability in Widespread Java Logging Library

This is a serious issue that needs immediate action from LSPs, web administrators, and system administrators, especially in light of the current international situation.

Updated: 2/15/2022; 1/18/2022; 1/7/2022; 12/23/2021; 12/17/2021; 12/16/2021; 12/15/2021; 12/14/2021; 12/10/2021 

Threat:

Log4Shell (CVE-2021-44228) is a critical zero-day exploit affecting the popular Java logging library log4j.  Log4Shell is an open-source Java package used to enable logging and it can be exploited to enable remote code execution. This is a standard package on systems running Java, so the quantity of machines and services affected is extremely high. This includes critical services like Tomcat webserver, Apache Struts webserver, and other Java services / applications that may be on the UVA network. (It also affects Internet  and Cloud services like Steam game client, Tesla cars, Minecraft, Amazon Prime, iCloud, and many, many more.)   When this vulnerability is exploited, the bad guy can run commands on your server, steal data, and/or use your server to laterally pivot to other computers.

LSPs, web administrators, and system administrators need to do the following immediately:

The seriousness of the issue is highlighted in the FTC’s response: https://techcrunch.com/2022/01/05/ftc-legal-action-log4j

Permanent mitigation:

On December 27th, 2021, Version 2.17.1 was released to solve a new vulnerability (CVE-2021-44832). It is considered medium severity, with a CVSS score of 6.6
Get the patched replacement log4j-core.jar on Maven Central here, with release notes and log4j security announcements.

If the affected system is unable to be updated, see the temporary mitigation below and/or limit remote access to the server.

On December 18th, 2021, Version 2.170 was released to solve a denial of service vulnerability (CVE-2021-45105). It is considered high severity, with a CVSS score of 7.5. It is superseded by Version 2.17.1

On December 13th, 2021, Version 2.160 was released. It is superseded by Version 2.170  Version 2.160 which is tracked as CVE-2021-4104There is now a confirmed Remote Code Exploit (RCE) for Log4j 2.15 (the initial patch).  
This is being tracked as CVE-2021-45046 and is considered Critical.  

If you upgraded Log4j to 2.15 or 2.16, please do one of the following:
                1. Upgrade to release 2.17.1 or later
                2. Remove the JndiLookup class from the classpath.  Please see https://logging.apache.org/log4j/2.x/security.html for more details and examples.

If you are running Log4j 1.x please verify that the installation is not configured to use JMSAppender and prioritize upgrading to a supported logging package.

Systems yet to be remediated should go straight to Version 2.17.1.
 

Temporary mitigation:

As per this discussion on HackerNews:

"The 'formatMsgNoLookups' property was added in version 2.10.0, per the JIRA Issue LOG4J2-2109 that proposed it. Therefore the 'formatMsgNoLookups=true' mitigation strategy is available in version 2.10.0 and higher, but is no longer necessary with version 2.15.0 or higher because it is the default setting.

If you are using a version older than 2.10.0 and cannot upgrade, your mitigation choices are:

  • Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files, see details at https://issues.apache.org/jira/browse/LOG4J2-2109 or,
  • Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior."

NOTE: Over the weekend security researchers confirmed that JMS Appender lacks a function required for exploitation, so log4j 1.x is NOT vulnerable. That version has still been end-of-life’d since 2015.

 

More information: 

Microsoft Defender for Endpoint is identifying endpoints using vulnerable software; Microsoft is working on alerting on exploitation attempts. Another reminder that MDE provides superior protection over default Defender. It’s available for free to anyone with an ITS 0365 tenant account.

This is a vulnerability at the system level of websites and applications. If you are using software that you are not sure has the log4j vulnerability, please check/reach out to the vendor to see if they've fixed it or have steps to resolve it.  
There is nothing that users of websites and applications need to do to fix this vulnerability. 
General UVA persons who have an ITS O365 account should install Microsoft Defender for Endpoint if they have not already done so.

 

Lists of affected software and applications

Search each of these links for software/apps you are concerned about.  If you don't find the vendor on any of these lists, then contact them directly to ask about the log4j vulnerability.
More and more client installed apps are being confirmed as vulnerable. 
We recommend the crowd-sourced list that the Cybersecurity & Infrastructure Security Agency (CISA) has sponsored and is coordinating: https://github.com/cisagov/log4j-affected-db 
You can also check: 

 

Lists of UVA-specific affected software and applications

Note that the lists above does not contain several applications that are present in our environment.  Below are some specific applications that are used at UVA and their status. 
This is not a complete list, so please look through the apps you use and compare it to the list above.

Vulnerable, Patch or Mitigation Available

Tableau – Upgrade https://kb.tableau.com/articles/issue/Apache-Log4j2-vulnerability-Log4shell
Oxygen XML –  The lastest version that fixes the vulnerabiity is available on the UVA Software Gateway
                           Information: https://www.oxygenxml.com/security/advisory/CVE-2021-44228.html
ArcGIS Enterprise – Mitigation https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-software-and-cve-2021-44228-aka-log4shell-aka-logjam/
SPSS Statistics – ITS tested and added the new version of SPSS (28.0.1.1) that fixes this log4j vulnerability to the UVA Software Gateway on February 11, 2022 and notified UVa SPSS users. SPSS/IBM Information: https://www.ibm.com/support/pages/node/6526182
Code42 Products (Crashplan) – Upgrade  https://support.code42.com/Terms_and_conditions/Code42_customer_support_resources/Code42_response_to_industry_security_incidents

Unknown or In Progress

Autodesk / Autocad – “The Autodesk Security Team is investigating the Log4Shell vulnerability (CVE-2021-44228) and (CVE-2021-45046). We have not identified any compromised systems in the Autodesk environment due to this vulnerability at this time. This is an ongoing investigation and we will provide updates as we learn more.”
SAS –  https://support.sas.com/content/support/en/security-bulletins/remote-code-execution-vulnerability-cve-2021-44228.html

Not Vulnerable, No Action Needed

LastPass Local Client 
LogMeIn Rescue Client
Zoom Client
Cisco AnyConnect Client
Poly Studio X30/X50
Cisco Webex Client (Softphone)
Airtame Wireless Screen Sharing
Rocket Software (former Bluezone)