WHAT TO KNOW [AND DO]
Log4j/Log4Shell Vulnerability
In November 2021, the cybersecurity landscape was rocked by the discovery of a severe vulnerability within Apache Log4j. CVE-2021-44228, more commonly referred to as Log4Shell, exploited a critical flaw enabling attackers to execute remote code on affected systems.Due to its widespread usage, the Log4Shell vulnerability posed an unprecedented threat to millions of endpoints across the globe. Security researcher Chen Zhaojun first identified the vulnerability, which was immediately recognized for its extreme severity, and given a CVSS score of 10 out of 10. The discovery set off a flurry of activity as organizations scrambled to mitigate the risk, marking the beginning of an ongoing battle against the exploit and its evolving variants.
First, Focus on Remediating Log4j
What To Do Right Now
The Apache Log4Shell vulnerability has put hundreds of millions of endpoints at risk. And with new variants appearing almost daily, the saga goes on and on.
However, not every new variant is equal, nor are they all likely to be exploited. At its core, Log4Shell is a vulnerability and should be treated as such. Remediating Log4j CVE-2021-44228, the default configuration, should be your priority.
Beware the Hype
Not every new Log4Shell vulnerability is critical. Keep calm and patch on.
While new variants of the original Log4Shell vulnerability have emerged with each new update, keep in mind that these vulnerabilities are not all equal. For instance, CVE-2021-44832, a vulnerability in Apache Log4j versions through 2.17.0, allows an attacker to execute code arbitrarily.
Alarming? Yes. Severe? No. Apache scores this vulnerability as a moderate CVSS 6.6/10. To exploit this CVE, an attacker needs to modify logging configuration files, a privilege that would likely indicate the infrastructure is already compromised.
Parse the Log4j release website directly to determine how severely your infrastructure will be impacted by subsequent Log4Shell vulnerabilities.
November 24, 2021
Security researcher Chen Zhaojun discovers the now infamous CVE-2021-44228 or “Log4Shell” vulnerability that allows unauthenticated attackers to execute remote code on vulnerable systems, scoring a CVSS of 10 out of a possible 10. Log4j versions 2.0-beta9 up to 2.14.1 are affected.
December 6, 2021
Apache Log4j releases version 2.15.0 to remediate the vulnerability. Shortly after, CVE-2021-45046 is discovered (a flaw that eventually netted a CVSS of 9.0/10) after further research leads to the discovery that this vulnerability allowed for remote code execution by an attacker. Log4j versions 2.0-beta9 to 2.15.0 are affected, excluding 2.12.2.
December 13, 2021
Version 2.16.0 of Apache Log4j is released to remediate. Yet another vulnerability is discovered — CVE-2021-45105, a CVSS 5.9/10 denial of service vulnerability due to infinite recursion in lookup evaluation. Log4j versions 2.0-beta9 to 2.16.0 are affected, excluding 2.12.3.
December 18, 2021
The Log4j team releases version 2.17.0 to fix the denial of service vulnerability.
December 28, 2021
Yet another patch, version 2.17.1, is released, this time to remediate CVE-2021-44832, a CVSS 6.6/10 that allows code execution by attackers with permissions to modify the logging configuration file.
Resources
