Log4j Vulnerability Guidance
Understanding of Log4j
Log4j Mitre Tactics and Techniques
Initial Access
T1190 — Exploit Public-Facing Application
Execution
T1203 — Exploitation for Client Execution
T1059 — Command and Scripting Interpreter
Lateral Movement
T1021 — Remote Services
T1003.008 — OS Credential Dumping: /etc/passwd and /etc/shadow
Impact
T1496 — Resource Hijacking
T1498 — Network Denial of Service
Remediation
In order for these vulnerabilities to be remediated in your systems that use affected versions of Log4j, you must implement latest security updates.
CVE-2021–45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.
CVE-2021–44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Actions
- Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround.
- Apply available patches immediately. (Now, the latest release of Apache log4j is 2.17.1)
- Prioritize patching, First mission critical systems, internet-facing systems, and networked servers.
- Conduct a security review to determine if there is a security concern or compromise.
