Back to Weekly Threat

Apache Log4J Updates


December 22, 2021

By John Rote

Apache Log4J2 Vulnerability Updates:
This update report for the Apache Log4J vulnerabilities will be updated when new critical information is released.  Please monitor this report for updates as this vulnerability continues to grow and change.

12/21/2121 Update:
Below are the updates for December 21st, 2021:

Upgrade to version 2.17 of Apache Log4J:
A denial of service (DOS) vulnerability (CVE-2021-45105) exisats in some environments with non-default configurations due to uncontrolled recursion from self-referential lookups.

Potential signals of compromise:
The below are potential signals of compromise:
* ${jndi:ldap://.*/ .*}
* ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://.*}
* ${${::-j}ndi:rmi://.*}
* ${jndi:rmi://.*}
* ${${lower:jndi}:${lower:rmi}://.*}
* ${${lower:${lower:jndi}}:${lower:rmi}://.*}
* ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://.*}
* ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://.*}
* GET requests to arbitrary servers attempting to download “.class” files.

Advanced Groups Exploiting Vulnerabilities:
Security researchers are already seeing more sophisticated groups exploiting the vulnerability. Adam Meyers, SVP of intelligence at CrowdStrike, said his team observed Iran-based, state-sponsored actor Nemesis kitten deploy a class file into a server that could be triggered by Log4J.  Microsoft reported that nation-state groups Phosphorus (Iran) and Hafnium (China), as well as unnamed APTs from North Korea and Turkey, are actively exploiting Log4Shell in targeted attacks.

 

12/17/2021 Update:
Below are the updates for December 17th, 2021:

New vulnerabilities Identified:
The latest CVE-2021-45046 vulnerability was discovered just a day after the release of the Log4j version 2.16.0 on December 14 receiving the CVSS Score of 3.7. Later, due to the highly assessed risks it poses, it received the Critical security impact rating with a score dramatically increased to 9.0. According to the Apache Software Foundation notice, the newly discovered vulnerability affects all Log4j versions from 2.0-beta9 to 2.15.0 (excluding 2.12.2).

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations and could result in an information leak and remote code execution in some environments and local code execution in all environments.  The Apache Software Foundation notice has additional information.  Cloudfare has stated this vulnerability is being actively exploited.

Conti Ransomware Using Log4j Vulnerabilities:
The Conti Ransomware group has been detected using the critical Log4Shell exploit to gain rapid access to internal VMware Server instances and encrypt virtual machines.

Conti, one of the largest and most prolific ransomware gangs appear to have taken interest in Log4Shell early on. The gang quickly started looking for victims with their goal being lateral movement to VMware vCenter networks, denoted as cybercrime according to adversarial disruption company Advanced Intelligence.

List of Vulnerable Applications:
This GitHut repo below contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-44228) and the second URL has a listing of of applications and vendors status for log4J vulnerability.

hxxps://github[.]com/NCSC-NL/log4shell
hxxps://github[.]com/NCSC-NL/log4shell/blob/main/software/README.md