Log4j-core 2.6.1: 6 Vulnerabilities (Severity 10.0)
Hey guys! Today, we're diving deep into a critical issue affecting the log4j-core-2.6.1.jar library. This library has a total of six known vulnerabilities, with the most severe one scoring a whopping 10.0! If you're using this version, it's super important to understand the risks and take action ASAP. Let's break it down, step by step.
Discussion Category: ghc-cloneRepoStaging-scaAndRenovate3, Heather-Lane_1027_211358_gh_gw2
π Vulnerable Library - log4j-core-2.6.1.jar
The Apache Log4j Implementation is a widely-used logging framework for Java applications. However, version 2.6.1 has some serious security flaws that need your attention.
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Findings
Hereβs a summary table of the vulnerabilities found in log4j-core-2.6.1.jar:
| Finding | Severity | π― CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-44228 | π£ Critical | 10.0 | High | 94.4% | log4j-core-2.6.1.jar | Direct | 2.12.2 | β |
| CVE-2017-5645 | π£ Critical | 9.8 | Not Defined | 94.0% | log4j-core-2.6.1.jar | Direct | 2.8.2 | β |
| CVE-2021-45046 | π£ Critical | 9.0 | High | 94.3% | log4j-core-2.6.1.jar | Direct | 2.12.2 | β |
| CVE-2021-44832 | π Medium | 6.6 | High | 50.4% | log4j-core-2.6.1.jar | Direct | 2.12.4 | β |
| CVE-2021-45105 | π Medium | 5.9 | High | 71.4% | log4j-core-2.6.1.jar | Direct | 2.12.3 | β |
| CVE-2020-9488 | π‘ Low | 3.7 | Not Defined | < 1% | log4j-core-2.6.1.jar | Direct | ch.qos.reload4j:reload4j:1.2.18.3 | β |
Details
Let's dive into each vulnerability to understand the risks and how to mitigate them.
CVE-2021-44228
Vulnerable Library - log4j-core-2.6.1.jar
The Apache Log4j Implementation is at the heart of this vulnerability. This is probably the most infamous one, known as "Log4Shell."
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β log4j-core-2.6.1.jar (Vulnerable Library)
Vulnerability Details
This vulnerability allows remote code execution (RCE) because Log4j2 versions 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) don't properly protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. This is bad news, guys.
From Log4j 2.15.0, this behavior is disabled by default, and version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1) completely removes this functionality. Itβs important to note that this vulnerability specifically affects log4j-core and doesn't impact log4net, log4cxx, or other Apache Logging Services projects.
Publish Date: Dec 10, 2021 12:00 AM
URL: CVE-2021-44228
Threat Assessment
Exploit Maturity: High
EPSS: 94.4%
Score: 10.0
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 10, 2021 12:00 AM
Fix Resolution: 2.12.2
CVE-2017-5645
Vulnerable Library - log4j-core-2.6.1.jar
Again, we're talking about the Apache Log4j Implementation.
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β log4j-core-2.6.1.jar (Vulnerable Library)
Vulnerability Details
In Apache Log4j 2.x before 2.8.2, a specially crafted binary payload sent to the TCP or UDP socket server (used to receive serialized log events) can execute arbitrary code upon deserialization. This means an attacker could potentially take control of your system by sending malicious log data. It's a serious risk, guys.
Publish Date: Apr 17, 2017 09:00 PM
URL: CVE-2017-5645
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 94.0%
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
Release Date: Apr 17, 2017 09:00 PM
Fix Resolution: 2.8.2
CVE-2021-45046
Vulnerable Library - log4j-core-2.6.1.jar
Yes, the Apache Log4j Implementation strikes again.
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β log4j-core-2.6.1.jar (Vulnerable Library)
Vulnerability Details
The fix for CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This allows attackers with control over Thread Context Map (MDC) input data, when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (e.g., ${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC), to craft malicious input data using a JNDI Lookup pattern. This can lead to information leaks and remote code execution in some environments, and local code execution in all environments. Basically, if you didn't configure Log4j in the default way, you might still be vulnerable.
Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) address this by removing support for message lookup patterns and disabling JNDI functionality by default.
Publish Date: Dec 14, 2021 04:55 PM
URL: CVE-2021-45046
Threat Assessment
Exploit Maturity: High
EPSS: 94.3%
Score: 9.0
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 14, 2021 04:55 PM
Fix Resolution: 2.12.2
CVE-2021-44832
Vulnerable Library - log4j-core-2.6.1.jar
Still on the Apache Log4j Implementation train.
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β log4j-core-2.6.1.jar (Vulnerable Library)
Vulnerability Details
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to remote code execution (RCE) when a configuration uses a JDBC Appender with a JNDI LDAP data source URI, and an attacker has control of the target LDAP server. This means if your Log4j configuration is set up to log to a database via JNDI and an LDAP server, an attacker who compromises that LDAP server can execute code on your system. Not ideal!
This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Publish Date: Dec 28, 2021 07:35 PM
URL: CVE-2021-44832
Threat Assessment
Exploit Maturity: High
EPSS: 50.4%
Score: 6.6
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 28, 2021 07:35 PM
Fix Resolution: 2.12.4
CVE-2021-45105
Vulnerable Library - log4j-core-2.6.1.jar
And yet, the Apache Log4j Implementation remains.
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β log4j-core-2.6.1.jar (Vulnerable Library)
Vulnerability Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) didn't protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service (DoS) when a crafted string is interpreted. Basically, an attacker can make your application crash by sending it a specially crafted log message.
This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Publish Date: Dec 18, 2021 11:55 AM
URL: CVE-2021-45105
Threat Assessment
Exploit Maturity: High
EPSS: 71.4%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 18, 2021 11:55 AM
Fix Resolution: 2.12.3
CVE-2020-9488
Vulnerable Library - log4j-core-2.6.1.jar
Still talking about the Apache Log4j Implementation.
Library home page: http://www.apache.org
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β log4j-core-2.6.1.jar (Vulnerable Library)
Vulnerability Details
Improper validation of certificates with host mismatches in the Apache Log4j SMTP appender could allow an SMTPS connection to be intercepted by a man-in-the-middle attack. This could leak any log messages sent through that appender. If you're using Log4j to send log messages via email, an attacker could potentially read those emails.
Fixed in Apache Log4j 2.12.3 and 2.13.1.
Publish Date: Apr 27, 2020 03:36 PM
URL: CVE-2020-9488
Threat Assessment
Exploit Maturity: Not Defined
EPSS: < 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Apr 27, 2020 03:36 PM
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
Conclusion
So, there you have it, guys! Six vulnerabilities in log4j-core-2.6.1.jar, some of them being extremely critical. If you're using this version, the best course of action is to upgrade to a secure version as soon as possible. Make sure to check the suggested fixes for each CVE and plan your upgrade accordingly. Stay safe out there!