Update Apache Log4j utility to address zero-day vulnerability
January, 3, 2022
All University of Michigan Tableau dashboards have been updated and are now available to users without the need to be on the university’s network or using the university virtual private network.
December 20, 2021
Log4j 2.17 has been released to address a Denial of Service (DoS) vulnerability found in v2.16 and earlier. Log4j 2.16 and earlier does not always protect from infinite recursion in lookup evaluation, which can lead to DoS attacks. This is considered a High (7.5) vulnerability on the CVSS scale. If you have not yet updated from v2.15 or earlier to 2.16, we recommend going directly to v2.17. If you have already upgraded to v2.16, you can follow standard patching guidelines in upgrading to 2.17. Refer to Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS for more information.
December 17, 2021
A new remote code execution (RCE) vulnerability has been discovered in Log4j 2.15. If you recently updated to version 2.15, you now need to update to version 2.16 as soon as possible. The fix in Apache Log4j was incomplete, and certain non-default configurations can allow remote code execution to attackers with control over Thread Context Map (MDC) input data.
December 16, 2021
The following new information for updating the Apache Log4j utility was sent to U-M IT groups via email on December 16, 2021.
Patch to Log4j version 2.16 wherever possible, as it fully remediates known vulnerabilities.
Current intelligence indicates that applications using Log4j version 1.x are only vulnerable to CVE-2021-44228 when JNDI is used in their configuration. To mitigate, audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
Log4j version 1.x reached end of life in August 2015 and is still affected by previously disclosed vulnerabilities. If you have applications using Log4j 1.x, please update to the current version of Log4j wherever possible and after appropriate testing. If installations of Lof4j 1.x have been provided as part of vendor software, ensure you are working with your vendor to upgrade.
If you are unable to update to the current version of Log4j, 2.16.0, there are different mitigation steps for different versions of Log4j 2.x. Complete the appropriate mitigation actions detailed by the Cybersecurity & Infrastructure Security Agency (CISA) at: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
December 14, 2021
The following reminder was sent to U-M IT groups via email on December 14, 2021.
This is a reminder that all U-M system owners are expected to immediately update the Apache Log4j software to address a zero-day vulnerability, including applying vendor-provided patches.
This vulnerability is being actively exploited, and organizations the world over are being affected. ITS Information Assurance (IA) continues to scan U-M networks and take other steps to address this zero day, however scanning accuracy for this vulnerability is limited without the Tenable vulnerability scanning agent installed. If you have not done so already, please review the original Alert below, review your systems for use of the affected software, and take action as needed.
In addition, we urge you to work with IA to get the Tenable vulnerability scanning agent deployed on your systems. The Tenable agent provides the most accurate vulnerability scanning results. Doing so is a best practice, and is going to be an enterprise recommendation as a result of this vulnerability. Contact [email protected] for more information on Tenable vulnerability scanning.
We also recommend you continue to monitor for indications of compromise on systems that may have had a vulnerable version of log4j at any point since December 1, 2021. Refer to Checking Systems for Signs of Compromise and contact [email protected] if there is any reason to suspect a system has become compromised or you need assistance.
What to monitor:
- Unusually high CPU utilization
- Unexpected processes, system changes, services, network connections, and new users/groups
- Unusual messages in logs
December 14, 2021
The Summary and Action Items in the original Alert below were updated.
December 10, 2021
The information below was sent to U-M IT groups via email on December 10, 2021. It is intended for U-M IT staff who are responsible or university servers running the Apache Log4j Java-based logging utility, or running applications that have Log4j embedded.
Summary
A zero-day exploit is affecting the Apache Log4j utility that could result in remote code execution. Update Log4j to version 2.16 as soon as possible to disable the vulnerable features of log4j. Log4j is a component of many commercial, java-based software applications, which may also be affected. While version 2.16 is currently believed to fix the remote code execution vulnerability, it has been found to have a Denial of Service vulnerability. While this is less serious, updating to version 2.17 should correct this issue. Be aware of vendor updates for these packages and apply patches as quickly as possible. Be aware of vendor updates for these packages and apply patches as quickly as possible.
Problem
Log4j is a Java-based logging library maintained by the Apache Software Foundation. According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Threats
Exploit code is publicly available, widespread scanning for vulnerable systems is occurring, and this vulnerability is being exploited actively in the wild.
Affected Versions
Apache Log4j 2.0-beta9 up to 2.16.0
Action Items
- Update to version 2.17.0 Apache Log4j after appropriate testing
- If you have not updated to at least version 2.16.0, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.
- If updating to the latest version is not possible, mitigate exploit attempts by removing the JndiLookup class from the classpath.
- If you are using Cloudflare WAF, you can help mitigate any exploit attempts via three newly deployed rules.
Technical Details
For details, see Apache Log4j Security Vulnerabilities.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
- Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS, Bleepingcomputer, 12/18/21
- Log4Shell Update: Severity Upgraded 3.7 -> 9.0 for Second log4j Vulnerability, LunaSec, 12/17/21
- Apache Log4j Security Vulnerabilities, Logging Services
- Apache Log4j Vulnerability Guidance, Cybersecurity & Infrastructure Security Agent (CISA)
- Download Apache Log4j 2, Log4j, 12/6/21
- Apache Log4j Security Vulnerabilities, Log4j, 12/6/21
- CVE-2021-44228, Mitre Corporation, 11/26/21
- The Log4j security flaw could impact the entire internet. Here's what you should know, CNN, 12/15/21
- 1.x end of life, Logging Services
- Security warning: New zero-day in the Log4j Java library is already being exploited, ZDNet, 12/10/21
- Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet, Ars Technica, 12/10/21
- New zero-day exploit for Log4j Java library is an enterprise nightmare, Bleeping Computer, 12/10/21
- CVE-2021-44228 - Log4j RCE 0-day mitigation, Cloudflare Blog, 12/10/21
- RCE in log4j, Log4Shell, or how things can get bad quickly, Internet Storm Center, 12/10/21