![]() On 22 December 2021 Apache released Log4j 2.12.3 for Java 7 users and 2.3.1 for Java 6 users to address currently known vulnerabilities and harden JNDI functionality. This vulnerability has been assigned CVE-2021-45105 and has been rated CVSS 7.5. On 17 December 2021 Apache released Log4j 2.17 to address a denial of service (DOS) vulnerability in versions 2.0-alpha1 through 2.16.0 (Java 8). On 17 December 2021 Apache updated its assessment of the severity and impact of CVE-2021-45046 to critical, remote code execution. Footnote 9 Additionally, CISA’s guidance is a valuable source of information. NCSC-NL, with the help of the security community, has compiled a robust source of information regarding the Log4j vulnerability including but not limited to indicators of compromise, mitigation advice and affected software. Organizations who have not updated yet should update to 2.16.0 or apply the suggested mitigation if updating is not immediately possible. The Cyber Centre assesses that organizations who have already patched to 2.15.0 and use a standard configuration can follow standard patching processes for updating to 2.16.0. Apache has released Log4j version 2.16.0 to address this latest vulnerability, which is tracked as CVE-2021-45046. It has been determined that Log4j 2.15.0 may still be vulnerable under certain non-default configurations. In addition, Apache has provided workarounds for previous releases when upgrading is not possible. Footnote 8Īpache has released Log4j version 2.15, which addresses this vulnerability. While non-exhaustive, community sources are assisting in these efforts with the identification of impacted products. The Cyber Centre strongly encourages organizations internally review potentially impacted applications. ![]() ![]() In vulnerable versions of Log4j, logged user data containing JNDI lookups to actor-controlled endpoints could be performed, which would result in the server loading and executing arbitrary code from the endpoint. Notably, it supports Java Naming and Directory Interface (JNDI) features, which it leverages in configuration, logging messages and parameters. In certain circumstances, the data being logged originates from user input. The Apache Log4j library allows for developers to log output from various data sources within their applications. Other Java frameworks also include it in their libraries, including but not limited to: Netty, MyBatis and the Spring Framework. In addition, Log4j is often used in enterprise Java software and is also included in several Apache frameworks including but not limited to: Apache Struts2, Apache Solr, Apache Druid, Apache Flink and Apache Swift. Due to the Log4j library’s widespread use in popular frameworks, many third-party apps may also be vulnerable to exploitation. Open-source reporting indicates that the critical vulnerability, tracked as CVE-2021-44228 Footnote 3, is actively being scanned for and exploited. ![]() The vulnerability allows a remote unauthenticated actor to execute arbitrary code on an affected device. On 10 December 2021, Apache released a Security Advisory Footnote 1 Footnote 2 highlighting a critical remote code execution vulnerability in Log4j, affecting versions between 2.0-beta9 to 2.14.1. Open-source reporting indicates that active scanning and exploitation of this vulnerability have been observed. On 10 December 2021, Apache released a Security Advisory Footnote 1 Footnote 2 highlighting a critical remote code execution vulnerability in Log4j, a widely deployed Java-based logging utility. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested. PurposeĪn Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. Recipients of this information may redistribute it within their respective organizations. This Alert is intended for IT professionals and managers of notified organizations. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |