Apache Log4J Zero Day Vulnerability Update – 20/12/2021

What we are doing  

Six Degrees CSOC (Cyber Security Operations Centre) are continually monitoring threat intelligence sources for Apache Log4j vulnerability developments and our Threat Response Team are closely reviewing vendor statements as they are released.  

We are reacting to vendor statements where workarounds, patching and updates have been advised. Where downtime is required, customers have been and will be contacted directly to organise a mitigation action plan. 

What we have done 

  • We have completed our review of over 250 technologies to assess their vulnerability to the Log4J threat.
  • Key areas impacted include our Enterprise Cloud Platform (VMWare) and Avaya unified communication
  • Enterprise Cloud  
    • We have completed the first workaround released by VMWare in relation CVE-2021-44228. *
    • We are actively rolling out the second VMWare workaround in relation to CVE-2021-45046. *
    • We are currently awaiting VMWare’s response to CVE-2021-45105 raised on 17th December. As soon as a workaround or full patch is released, we will be ready to deploy, including over the Christmas period.
      The Enterprise Cloud workarounds have been completed without notification as they have not required downtime.
  • Avaya Unified Communication  
    • All relevant Avaya clients have had mitigation applied against the Log4j vulnerability 
    • We have reached out to our clients to arrange downtime to implement the mitigation that Avaya released on the 17th December 
    • We have contacted all customers that require a maintenance window to ensure we manage the service impact when implementing mitigation.

What you can do  

  • We would be grateful if you would support us in responding rapidly to our communications to ensure we can offer you protection in line with vendor advice prior to the Christmas break where possible, including providing emergency contacts for the holiday period. 
  • Review your entire estate (not just Six Degrees managed) using this list to ascertain if you have vulnerabilities  
    https://github.com/NCSC-NL/log4shell/blob/main/software/README.md#m 
  • Where you have relationships with vendors, monitor their statements and act accordingly to their recommendations 
  • Act on our technical Apache vulnerability advice below 
  • Keep up to date with Six Degrees progress via our information hub

What’s next 

We will continue to monitor the situation and provide updates via our Information hub. 
Our technical teams across all our products are working tirelessly to continue apply vendor solutions to this potential threat. 
We are pushing forwards with our response to this vulnerability and will continue to provide updates via our information hub.  

Apache Log4J Vulnerability Update

CVE-2021-45105/45046           

Severity 9/10 – Critical 

Executive Summary 

There have been recent developments in the log4j vulnerability where the version 2.17.0 patch rolled out by Apache Software Foundation (ASF) on December 17th has addressed a vulnerably that could stage a denial-of-service attack (CVE-2021-45105). This issue remained after patch 2.16.0 failed to address this vulnerability which was previously put forward as guidance by the group. The CSOC recommends that you perform the relevant update to all deployed Java installations as soon as possible to remediate exploit exposure to this vulnerability.

  1. Recommendation and Remediations

Assure that all software deployments of Java conform to the below versions: 

  • Java 8 (or later) users should upgrade to release Log4j 2.17.0 
  • Java 7 users should upgrade to version Log4j 2.12.3 

Alternatively, this can be mitigated in configuration:  

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or ${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). 
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or ${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. 

Note. Further guidance on these mitigation steps can be found at: https://logging.apache.org/log4j/2.x/security.html

  1. CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

  1. CVE-2021-45046 

It’s worth pointing out that the severity score of CVE-2021-45046, originally classified as a DDoS vulnerability, has since been revised from 3.7 to 9.0, to reflect the fact that an attacker could abuse the flaw to send a specially crafted string that leads to “information leak and remote code execution in some environments and local code execution in all environments,” corroborating a previous report from security researchers at Praetorian. 

  1. References 

https://nvd.nist.gov/vuln/detail/CVE-2021-45105 

https://nvd.nist.gov/vuln/detail/CVE-2021-45046 

https://logging.apache.org/log4j/2.x/security.html 

https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html 

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance 

Subscribe to the newsletter today

Related posts

New Senior Appointments: ‘Transforming to Scale’

New Senior Appointments: ‘Transforming to Scale’

Six Degrees appoints new Chief Revenue and Chief

Aegis Cyber Security Maturity Assessment

Aegis Cyber Security Maturity Assessment

When you book an Essential Cyber Security Maturity

Want to find out how your cyber security stacks up?

Take our free Cyber Security Maturity Assessment today.