CVE-2021-44228:
Apache Log4j2 Remote Code Execution Vulnerability (Log4Shell)
Score
A numerical rating that indicates how dangerous this vulnerability is.
10.0Critical- Published Date:Dec 10, 2021
- CISA KEV Date:Dec 10, 2021
- Industries Affected:20
Threat Predictions
- EPSS Score:94.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:CHANGED
Impact
- Score:6.0
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Apache Log4j2 Remote Code Execution Vulnerability (Log4Shell)
Overview
CVE-2021-44228, also known as Log4Shell, is a severe vulnerability in the Apache Log4j2 library that affects versions 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1). The vulnerability stems from the JNDI (Java Naming and Directory Interface) features used in configuration, log messages, and parameters that fail to protect against attacker-controlled LDAP and other JNDI-related endpoints. When message lookup substitution is enabled, an attacker who can inject malicious strings into logs can trigger remote code execution by forcing the application to connect to a malicious LDAP server. This vulnerability has been assigned a CVSS score of 10.0 (Critical) due to its ease of exploitation and severe impact. The vulnerability affects countless applications and services worldwide as Log4j is widely used in enterprise Java applications, cloud services, and web applications.
Remediation
- To remediate the Log4Shell vulnerability, take the following actions:
- 1. Update to a patched version:
- Update to Log4j 2.17.0 or later (recommended)
- For Java 8 environments: Update to Log4j 2.12.4 or later
- For Java 7 environments: Update to Log4j 2.3.2 or later
- 2. If immediate patching is not possible, implement one of these mitigations:
- Set system property: -Dlog4j2.formatMsgNoLookups=true
- Remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- Configure the "NoLookups" flag for PatternLayout in the Log4j configuration
- 3. Implement network controls:
- Block outbound connections to unknown or suspicious domains
- Implement egress filtering to block LDAP/JNDI connections to external servers
- Deploy WAF rules to detect and block exploitation attempts
- 4. Scan your environment:
- Identify all applications using vulnerable Log4j versions
- Prioritize internet-facing applications for immediate remediation
- Use vulnerability scanners to detect vulnerable instances
- 5. Monitor for exploitation:
- Watch for suspicious outbound connection attempts
- Monitor logs for exploitation patterns like "${jndi:ldap://...}"
References
- 1. Apache Log4j Security Page: https://logging.apache.org/log4j/2.x/security.html
- 2. CISA Log4j Guidance: https://www.cisa.gov/apache-log4j-vulnerability-guidance
- 3. CERT Vulnerability Note VU#930724: https://www.kb.cert.org/vuls/id/930724
- 4. Microsoft's Response to Log4Shell: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
- 5. Oracle Security Alert for CVE-2021-44228: https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
- 6. CISA Log4j Affected Products Database: https://github.com/cisagov/log4j-affected-db
- 7. Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
- 8. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20211210-0007/
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
