Skip to main content Skip to local navigation
University Information Technology (UIT)

Service Advisory - Zero-day Vulnerability Advisory Notice - Apache log4j - Active Exploits

Posted on December 10, 2021

Service Advisory - Zero-day Vulnerability Advisory Notice - Apache log4j - Active Exploits

Posted on December 10, 2021

 

A picture containing text Description automatically generated

 

Service Advisory

 

Please share the following information with your technical teams.

 

A proof of concept (POC) that exploits a remote code execution (RCE) vulnerability in Java logging package Apache log4j was released yesterday (Dec 9). Log4j is widely used in Java applications and frameworks some common examples include: Confluence, Elastic, Rundeck, SAP (and many others). While log4j is not directly exposed by applications, this is expected to be a trivial Remote Code Execution (RCE) vulnerability which will result in widespread compromise, and potentially ransomware.

 

There are reports of this being actively exploited in the wild. It is urgent to address any vulnerable systems immediately.

 

Please review your applications for use of log4j, and if so, the version of that in use.

Vulnerable versions: 2.0 <= Apache log4j <= 2.14.1

 

Contact infosec to report any vulnerable installation found for mitigation and investigation steps.

 

Additional details and notices of vulnerable software can be expected to be announced over coming days.

 

 

Details on Log3Shell Zero-Day Vulnerability - Apache log4j

 

Severity level

Critical

 

CVE-2021-44228

 

Description:

If an attacker sends a link for a malicious Java Class file to a server running a vulnerable version of log4j, the server will make a request through the Java Naming and Directory Interface (JNDI), resulting in the malicious code being executed. Any attacker-controlled data that is being logged through log4j (such as UserAgent strings) can potentially result in Remote Code Execution (RCE).

 

Affected Versions:

Apache Log4j 2 versions 2.0 to 2.14.1

Log4j is embedded in many Java applications and frameworks which may need updates.

 

Impact:

An attacker could exploit this vulnerability to take control of an affected device.

 

Resolution:

- Expect additional updates to be added to these posts over the coming days.

- Update to log4j-2.15.0-rc1 or later.

- Expect vendors to release updates over the next several days for this vulnerability and apply as they become available.

 

In addition to the update, apply the following mitigation to disable lookups globally by setting the system property

log4j2.formatMsgNoLookups=true or

export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true

 

Reference:

[Details] - https://www.lunasec.io/docs/blog/log4j-zero-day/

[Details] - https://www.randori.com/blog/cve-2021-44228/

[Details] - https://logging.apache.org/log4j/log4j-2.14.1/manual/configuration.html#DisablingMessagePatternLookups

[Alternate Workaround] - https://github.com/Glavo/log4j-patch.

 

We thank you for your cooperation and understanding.

 

Contact

UIT Client Services at askit@yorku.ca or 416 736 5800

 

PRIVACY POLICY | VISIT WWW.YORKU.CA
This email was sent by: York University, 4700 Keele Street, Toronto, Ontario M3J 1P3

This email is viewed best in Microsoft Outlook for web