THE THREAT
The Apache Log4j vulnerability CVE-2021-45046 has been elevated from low severity to critical.
On December 17th, Apache updated their advisory stating that “the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.”
CVE-2021-45046 was initially considered to be a Denial of Service (DoS) vulnerability. New research suggests that exploitation may allow a remote threat actor to achieve Remote Code Execution and steal sensitive data from vulnerable systems under certain conditions.
It is recommended that organizations ensure applications running Log4j are updated to the most recent release (2.17.1).
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify CVE-2021-45046
- eSentire is conducting global threat hunts for exploit patterns
- MDR for Network, Endpoint and Log identify successful Log4j exploitation and post-exploitation actions. eSentire will continue to evaluate detections as the situation evolves
What you should do about it
- Audit software vendors/applications for Log4j use and make applying security updates a top priority (version 2.17.1 is recommended)
- Apache has provided alternative mitigations if patching is not currently possible
- MVS customers can contact your Customer Success Manager to request an ad-hoc scan for CVE-2021-44228
- Both CISA and NCSC-NL have released a vendor vulnerability status which can be correlated against software inventories
- NCSC-NL has additionally compiled various methods and scripts for scanning applications and systems for Log4j use
- Organizations are strongly recommended to make use of available scanning tools in order to identify vulnerable assets and prioritize patching of internet-facing products
Additional information
CVE-2021-45046 impacts all versions of Log4j from 2.0-beta9 to 2.15.0, excluding 2.12.2. eSentire is aware of reports stating that CVE-2021-45046 has been exploited in the wild in Denial-of-Service (DoS) attacks; this activity has not been independently verified at this time.
Regarding remote-code execution, Apache states “remote code execution has been demonstrated on macOS but no other tested environments.”
Recent Log4j Vulnerabilities:
- CVE-2021-44228 (CVSS: 10): Critical Remote Code Execution (RCE) vulnerability announced on December 10th
- eSentire MDR for Endpoint and Network are actively detecting exploitation attempts
- CVE-2021-45046 (CVSS: 3.7): Denial of Service (DoS) vulnerability announced on December 14th
- Impacts all versions from 2.0-beta9 to 2.15.0, excluding 2.12.2
- Criticality raised December 17th to CVSS: 9.0
- Confirmation that data exfiltration and remote code execution is possible in certain conditions
- CVE-2021-4104 (CVSS: 8.1): Remote Code Execution (RCE) vulnerability announced on December 14th
- Only impacts Log4j 1.2 when specific non-default configurations are in place
- CVE-2021-42550 (CVSS: N/A): Arbitrary code execution vulnerability announced on December 16th
- Prior access required for exploitation
References:
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-45046
[2] https://www.lunasec.io/docs/blog/log4j-zero-day-severity-of-cve-2021-45046-increased/
[3] https://logging.apache.org/log4j/2.x/security.html
[4] https://www.praetorian.com/blog/log4j-2-15-0-stills-allows-for-exfiltration-of-sensitive-data/
[5] https://blog.cloudflare.com/protection-against-cve-2021-45046-the-additional-log4j-rce-vulnerability/
