Guide to Log4j Vulnerabilities

News broke out on Thursday, December 9th as Log4j, the most utilized open-source logging system in the world, displayed clear evidence of a critical vulnerability affecting large companies all over the world, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

According to Microsoft Security Response Team, the Apache Log4j 0-day vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. Attacks have already taken place less than a day after its reporting, and Netlab, the networking security division of Chinese tech giant Qihoo 360, disclosed that Attackers like Mirai and Muhstik (aka Tsunami) are still actively looking for vulnerable servers to exploit.

Currently, this vulnerability, also known as CVE-2021-44228 currently holds a risk matrix base score of 10, the highest risk possible according to Oracle advisory, and has been labeled by GitHub advisory as a critical severity level.

Have I been affected?

To determine if your application has been affected by this vulnerability:

• Determine your current Log4j version and update. All versions prior to 2.16.0 have been affected. This is recommended as it was found that, Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This vulnerability called, “CVE-2021-45046” made the previous version susceptible to attacks. As such, Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

• Determine your current Java version and update. All versions lower than the ones below are vulnerable:
  • Java 6 – 6u212
  • Java 7 – 7u202
  • Java 8 – 8u192
  • Java 11 – 11.0.2

If the application has both Java & Log4j issues, then according to Certnz advisory it is certainly been affected. However, you can still check your domain vulnerability by using open-source testing tools, like GitHub – log4shell-tester.

Log4j Solution?

 Download Log4j version 2.16.0 (If you are unable to upgrade, follow the steps below):

• Behavior can be mitigated by either setting system property formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

• If using version >=2.0-beta9and <=2.10.0, remove log4j’s JndiLookup class from Java’s classpath as under: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

How AppScan can help

HCL AppScan can help developers scan for log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 with its Open-Source analysis (OSA) or Dynamic Application Security Testing (DAST) capabilities in our cloud-based application security testing solution AppScan on Cloud.

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s OSA capability

 

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s DAST capability

 

What is AppScan on Cloud (ASoC)?

ASoC offers an unparalleled suite of comprehensive security testing tools available on the cloud, including SAST, DAST, IAST, and OSA. Enabling organizations to address vulnerability earlier in the Software Development Life Cycle (SDLC), reducing false positives, fixing code as it’s written and yielding advanced correlation to deliver more accurate results empowering organizations to deliver secure & compliant software faster and at scale.

For a free demonstration of AppScan’s OSA tool and our suite of security testing tools, including SAST, DAST, IAST for web, and open-source applications. Click here.

For additional information on Log4j vulnerability in HCL  AppScan’s deployment platforms, please see AppScan technote.