Home / About / Threat Intelligence / Apache release patch 2.17.0 for Log4j

Overview

On the 9th December 2021, a critical vulnerability was discovered in the open source and hugely popular logging service within Apache WebServer (Log4j). Since then, a number of patches have been released to remediate or mitigate the initial vulnerability and the additional vulnerabilities which were discovered following the greater scrutiny of the software. Vendors and systems administrators have struggled in locating all the instances of the logging service, and which the primary critical vulnerability may have been patched as a result, the subsequently identified and patched vulnerabilities may be being overlooked.

On the 19th December 2021, Apache released another patch (v2.17.0) for Log4j. Unlike previous patches, released on the 15th December 2021, this patch remediates the potential for a Denial of Service (DoS) attack and, whereas some other vulnerabilities had alternate configuration based mitigations, this one can only be remediated through application of the patch.

Impact

Vulnerabilities in Log4j has been found to impact many systems. While it is easy to focus on the remediation of vulnerable webservers that are controlled and owned by an organisation, the vulnerability impacts the CIA of multiple vendors’ products and is built into the Operating System (OS) of some network infrastructure devices and IoT/OT/SCADA devices. The impact of a DoS attack against such may cause significant impact to a targeted organisation.

Products Affected

There is an ever growing list of impacted systems. Since the initial (Critical) vulnerability was discovered to have been present dating back a number of years, it may be that some vulnerable systems in use may no longer be supported. Some vulnerable systems have been attributed to:
– Adobe
– Amazon
– Atlassian
– Broadcom
– Cisco
– Citrix
– ConnectWise
– cPanel
– Debian
– Docker
– FortiGuard
– F-Secure
– Ghidra
– IBM
– Juniper Networks
– McAfee
– MongoDB
– Okta
– Oracle
– OWASP Foundation
– Red Hat
– Siemens
– SolarWinds
– SonarSource
– SonicWall
– Sophos
– Splunk
– TrendMicro
– VMware
– Ubiquiti
– Ubuntu
– Zoho
– Zscaler

Containment, Mitigations & Remediation

Mitigations include applying the 2.17.0 patch and removing references to context lookups within Apache configuration.

Indicators of Compromise

While this patch does contain the update to protect against the critical Remote Code Execution (RCE) vulnerability, the update is designed to prevent Denial of Service attacks against the Logging Engine. The primary indication of an attack against this vulnerability would be the slow system performance and unavailability of logging and other resources on the affected device, ultimately leading to a Denial of Service of the resources served by the device.

Threat Landscape

Vendors and security teams across the globe are racing to find and patch vulnerable products. This provides an initial level of protection, however, as more vulnerabilities and patches are discovered and released it is important to stay on top of them and to revisit the patching to ensure that companies and products remain protected. A lot of effort is going into the proactive detection of compromise via the critical RCE vulnerability CVE-2021-44228, however other vulnerabilities within Log4j, such as the severe DoS vulnerability CVE-2021-45105 require entirely different detection mechanisms.

It is already known that Organised Crime Gangs (OCGs) such as Conti, etc, are looking at incorporating these vulnerabilities into their attack tooling to target organisations and gain a foothold within their infrastructure.

Mitre Methodologies

CVE-2021-44228 Log4Shell > allows > Exploit Public-Facing Application T1190 > enables > Reflective Code Loading T1620 > leads to > Ingress Tool Transfer T1105

Further Information

Log4j zero-day flaw: What you need to know and how to protect yourself | ZDNet

Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation – Microsoft Security Blog

Webinar: Your Guidebook for Handling the Apache Log4Shell Vulnerability – Thank You – AttackIQ