Log4j-core 2.8.2: Security Vulnerabilities & Remediation
Hey guys! Today, we're diving deep into some serious security vulnerabilities affecting the log4j-core-2.8.2.jar library. If you're using this version, it's super important to pay attention! We'll break down each vulnerability, its severity, and how to fix it. Let's get started!
π Vulnerable Library - log4j-core-2.8.2.jar
This is all about the Apache Log4j Implementation.
Library home page: https://www.apache.org/
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Findings
Hereβs a quick rundown of the vulnerabilities weβll be discussing:
| Finding | Severity | π― CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-44228 | π£ Critical | 10.0 | High | 94.4% | log4j-core-2.8.2.jar | Direct | 2.12.2 | β |
| CVE-2021-45046 | π£ Critical | 9.0 | High | 94.3% | log4j-core-2.8.2.jar | Direct | 2.12.2 | β |
| CVE-2021-44832 | π Medium | 6.6 | High | 35.2% | log4j-core-2.8.2.jar | Direct | 2.12.4 | β |
| CVE-2021-45105 | π Medium | 5.9 | High | 66.2% | log4j-core-2.8.2.jar | Direct | 2.12.3 | β |
| CVE-2020-9488 | π‘ Low | 3.7 | Not Defined | < 1% | log4j-core-2.8.2.jar | Direct | ch.qos.reload4j:reload4j:1.2.18.3 | β |
Details
Let's dive into each vulnerability with detailed information and remediation steps. We'll cover the specifics of each CVE, its impact, and how to mitigate the risk.
CVE-2021-44228
This is a critical vulnerability affecting log4j-core-2.8.2.jar. Understanding this vulnerability is crucial for maintaining the security of your applications. The CVE-2021-44228 vulnerability, also known as "Log4Shell," is a remote code execution (RCE) vulnerability that allows attackers to execute arbitrary code on a server. This occurs because Log4j2 versions 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) do not properly protect against attacker-controlled LDAP and other JNDI-related endpoints in configuration, log messages, and parameters. An attacker who can control log messages or parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
To mitigate this vulnerability, you should upgrade to Log4j version 2.12.2 or later. This version disables JNDI functionality by default and removes support for message lookup patterns, effectively preventing remote code execution attacks. The high exploit maturity and EPSS score of 94.4% indicate that this vulnerability is actively exploited in the wild, making it essential to apply the fix as soon as possible.
If upgrading is not immediately feasible, consider implementing temporary mitigations such as setting the log4j2.formatMsgNoLookups system property to true or removing the JndiLookup class from the classpath. However, these are only temporary measures and should not replace a proper upgrade. This vulnerability poses a significant threat, and prompt action is necessary to protect your systems from potential attacks.
Vulnerable Library - log4j-core-2.8.2.jar
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β
log4j-core-2.8.2.jar(Vulnerable Library)
Vulnerability Details
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Publish Date: Dec 10, 2021 12:00 AM
URL: CVE-2021-44228
Threat Assessment
Exploit Maturity: High
EPSS: 94.4%
Score: 10.0
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 10, 2021 12:00 AM
Fix Resolution : 2.12.2
CVE-2021-45046
The CVE-2021-45046 vulnerability is another critical issue affecting log4j-core-2.8.2.jar. It arises from an incomplete fix for CVE-2021-44228 in Apache Log4j 2.15.0. In certain non-default configurations, this vulnerability allows attackers with control over Thread Context Map (MDC) input data to craft malicious input data using a JNDI Lookup pattern. This can lead to information leaks and remote code execution in some environments, and local code execution in all environments. The logging configuration must use a non-default Pattern Layout with either a Context Lookup (e.g., $ctx) or a Thread Context Map pattern (%X, %mdc, or %MDC) for this vulnerability to be exploitable.
To address this, upgrade to Log4j version 2.12.2 or 2.16.0. These versions remove support for message lookup patterns and disable JNDI functionality by default, effectively mitigating the risk. The high exploit maturity and EPSS score of 94.3% indicate that this is a significant threat that requires immediate attention. Ensure that your logging configurations do not use vulnerable patterns, and prioritize upgrading to a secure version of Log4j.
If immediate upgrading is not possible, review your logging configurations and remove any instances of Context Lookups or Thread Context Map patterns. However, this is only a temporary measure, and a proper upgrade should be performed as soon as feasible. The combination of remote and local code execution possibilities makes this vulnerability a critical concern for system administrators and developers alike.
Vulnerable Library - log4j-core-2.8.2.jar
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β
log4j-core-2.8.2.jar(Vulnerable Library)
Vulnerability Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $ctx) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Publish Date: Dec 14, 2021 04:55 PM
URL: CVE-2021-45046
Threat Assessment
Exploit Maturity: High
EPSS: 94.3%
Score: 9.0
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 14, 2021 04:55 PM
Fix Resolution : 2.12.2
CVE-2021-44832
The CVE-2021-44832 vulnerability is a medium severity issue affecting log4j-core-2.8.2.jar. This vulnerability allows for remote code execution (RCE) when a configuration uses a JDBC Appender with a JNDI LDAP data source URI and an attacker has control of the target LDAP server. Specifically, Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are affected.
To remediate this, upgrade to Log4j2 versions 2.17.1, 2.12.4, or 2.3.2. These versions limit JNDI data source names to the java protocol, effectively preventing the exploitation of this vulnerability. While the EPSS score of 35.2% suggests a lower likelihood of exploitation compared to the Log4Shell vulnerabilities, the high exploit maturity indicates that the vulnerability is well-understood and potentially targeted by attackers.
If upgrading is not immediately possible, ensure that your Log4j configurations do not use a JDBC Appender with a JNDI LDAP data source URI. Review your configurations and remove any instances of this pattern. However, this is only a temporary fix, and upgrading to a patched version should be the primary goal. This vulnerability highlights the importance of carefully reviewing and securing logging configurations to prevent potential RCE attacks.
Vulnerable Library - log4j-core-2.8.2.jar
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β
log4j-core-2.8.2.jar(Vulnerable Library)
Vulnerability Details
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Publish Date: Dec 28, 2021 07:35 PM
URL: CVE-2021-44832
Threat Assessment
Exploit Maturity: High
EPSS: 35.2%
Score: 6.6
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 28, 2021 07:35 PM
Fix Resolution : 2.12.4
CVE-2021-45105
The CVE-2021-45105 vulnerability is another medium severity issue affecting log4j-core-2.8.2.jar. This vulnerability can lead to a denial of service (DoS) due to uncontrolled recursion from self-referential lookups. Specifically, Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) are affected.
To mitigate this, upgrade to Log4j 2.17.0, 2.12.3, or 2.3.1. These versions protect against uncontrolled recursion by properly handling self-referential lookups. With an EPSS score of 66.2%, this vulnerability poses a moderate risk, and the high exploit maturity suggests that it is actively being explored by attackers.
If upgrading is not immediately possible, carefully review and sanitize Thread Context Map data to prevent the injection of crafted strings that can trigger the recursion. However, this is only a temporary measure, and upgrading to a patched version remains the best solution. This vulnerability underscores the importance of input validation and secure configuration practices to prevent denial-of-service attacks.
Vulnerable Library - log4j-core-2.8.2.jar
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β
log4j-core-2.8.2.jar(Vulnerable Library)
Vulnerability Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Publish Date: Dec 18, 2021 11:55 AM
URL: CVE-2021-45105
Threat Assessment
Exploit Maturity: High
EPSS: 66.2%
Score: 5.9
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: Dec 18, 2021 11:55 AM
Fix Resolution : 2.12.3
CVE-2020-9488
The CVE-2020-9488 vulnerability is a low severity issue affecting log4j-core-2.8.2.jar. This vulnerability involves improper validation of certificates with host mismatch in the Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack, potentially leaking log messages sent through that appender.
To resolve this, upgrade to Apache Log4j 2.12.3 and 2.13.1 or use ch.qos.reload4j:reload4j:1.2.18.3. These versions include fixes for the certificate validation issue, preventing the interception of SMTPS connections. Given the low EPSS score (less than 1%), the likelihood of exploitation is minimal, but addressing the vulnerability is still important for maintaining overall system security.
If immediate upgrading is not feasible, ensure that your Log4j configurations do not rely on the SMTP appender for sensitive information. Consider using alternative appenders or implementing additional security measures to protect log messages transmitted via SMTPS. While this vulnerability is less critical than the RCE and DoS issues, it should still be addressed as part of a comprehensive security strategy.
Vulnerable Library - log4j-core-2.8.2.jar
The Apache Log4j Implementation
Library home page: https://www.apache.org/
Path to dependency file: /bin/target/classes/META-INF/maven/org.whitesource/log4j-netty-sample/pom.xml
Dependency Hierarchy:
- β
log4j-core-2.8.2.jar(Vulnerable Library)
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: Apr 27, 2020 03:36 PM
URL: CVE-2020-9488
Threat Assessment
Exploit Maturity: Not Defined
EPSS: < 1%
Score: 3.7
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: Apr 27, 2020 03:36 PM
Fix Resolution : ch.qos.reload4j:reload4j:1.2.18.3
Stay safe out there, and keep your systems updated!