Over this past week, several organizations are releasing security updates to address the Apache Log4j zero-day vulnerability being exploited in the wild. Although Apache released an initial patch for the exploit, it was deemed incomplete due to a lack of security for non-default configurations. In response, Apache has released a second patch, Log4j 2.16.0, which is designed to mitigate the vulnerability entirely.
Technical detail and additional information
WHAT IS THE THREAT?
As we know, a significant Log4j Remote Code Execution (RCE) vulnerability has had a patch released and tracked as CVE-2021-44228. However, the patch was not entirely effective at mitigating the risk due to CVE-2021-45046, the lack of completion in some non-default configurations. The latest patch, Log4j 2.16.0, removes support for message lookup patterns and disables JNDI functionality by default all together. While CVE-2021-44228 simply disabled the ability to control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Furthermore, for prior releases (<2.16.0) this issue can also be mitigated by removing the JndiLookup class from the classpath.
WHY IS IT NOTEWORTHY?
Log4j is practically omnipresent in the world of websites and all things Java. It was used to log information for the web applications developers created in efforts to aid with debugging and for other tracking purposes. LDAP, RMI and other JNDI endpoints can be used as avenues to execute arbitrary code from a threat actor utilizing the Log4j vulnerability. Many malicious actors and threat groups are using this vulnerability to gain unauthorized access. Many believe due to the magnitude of the vulnerability the detections confirmed will continue to grow and mitigation will be a slower than usual process. Furthermore, NIST has given this vulnerability a base score of 10, ten being most critical.