Log4j Vulnerability Guidance

Understanding of Log4j

Mehmet Fatih KOCALAR
2 min readDec 20, 2021
Log4j Exploit Map (source: https://www.govcert.ch/)

Log4j Mitre Tactics and Techniques

Initial Access

T1190 — Exploit Public-Facing Application

Execution

T1203 — Exploitation for Client Execution

T1059 — Command and Scripting Interpreter

Lateral Movement

T1021 — Remote Services

T1003.008 — OS Credential Dumping: /etc/passwd and /etc/shadow

Impact

T1496 — Resource Hijacking

T1498 — Network Denial of Service

Remediation

In order for these vulnerabilities to be remediated in your systems that use affected versions of Log4j, you must implement latest security updates.

CVE-2021–45105 Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.

CVE-2021–44832 Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Actions

  • Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround.
  • Apply available patches immediately. (Now, the latest release of Apache log4j is 2.17.1)
  • Prioritize patching, First mission critical systems, internet-facing systems, and networked servers.
  • Conduct a security review to determine if there is a security concern or compromise.

--

--

Mehmet Fatih KOCALAR
Mehmet Fatih KOCALAR

No responses yet