Alert: Apache Log4j vulnerability (CVE-2021-44228)
Executive Overview
On December 9th, 2021, security researchers discovered a new critical Zero-Day vulnerability that impacts one of the most popular open-source Java logging libraries, Apache Log4j 2. It is a critical vulnerability in the code of much utilised logging application.
The Common Vulnerabilities and Exposures (CVE) system has identified the Log4j vulnerability as CVE-2021-44228 and the NIST National Vulnerability Database (NVD) have assigned it a CVSS Score of 10.0 – Critical.
This vulnerability is such a critical risk due to the impact that it can have if leveraged by attackers. Details of the vulnerability can be found in the National Vulnerability Database (NVD) under the heading CVE-2021-44228. The confirmed affected versions of Log4j are 2.0-beta-9 through 2.14.1.
The exploit has been identified as a remote code execution (RCE) vulnerability in Apache Log4j 2 referred to as “Log4Shell”. The software, Log4j, is built on a popular coding language, Java, that has widespread use in other software and applications used worldwide. Log4j is estimated to be present in over 100 million instances globally.
The vulnerability is so critical as it enables unauthenticated Remote Code Execution (RCE) where an attacker can execute any code on a remote machine over LAN, WAN, or internet. The code is triggered when a string is provided by the attacker through a variety of different input vectors and is then processed by the Log4j 2 vulnerable element.
The NCSC is advising organisations to take steps to mitigate the Apache Log4j vulnerability.
An unauthenticated remote code execution vulnerability (CVE-2021-44228) affects Apache Log4j versions 2.0-beta9 to 2.14.1. The NCSC is aware that scanning and attempted exploitation is being detected globally, including the UK.
Proof-of-concept code has already been published for this vulnerability.
The NCSC has published further information explaining the Log4j vulnerability.
Details of the Vulnerability
Log4j is an open-source Java logging library developed by the Apache Foundation. It is widely used in many applications and is present in many services as a dependency. This includes enterprise applications, including custom applications developed within an organisation, as well as numerous cloud services.
An application is vulnerable if it consumes untrusted user input and passes this to a vulnerable version of the Log4j logging library.
Recommended priority actions
Install the latest updates immediately wherever Log4j is known to be used
This should be the first priority for all UK organisations using software that is known to include Log4j. All organizations should immediately patch all instances of Log4j to 2.16.0.
If one of your applications that you use is listed, please follow vendor advice on updating the software or applying mitigations. You should also keep refreshing the list in case a new product has been added.
If your specific product is not listed, you should try and determine if Log4j is present within your organisation.
There could be multiple copies of Log4j present and each copy will need to be updated or mitigated.
Deploy protective network monitoring/blocking
The following recommendations should be taken to improve network monitoring and blocking:
- Organisations using Web Application Firewalls (WAFs) should ensure rules are available to protect against this vulnerability.
- Organisations that understand normal outbound connections from their servers may wish to ensure they’re blocking unexpected outbound connections.