Threat Signal ReportLog4j 2.17.0 Released In Response to New Log4j Vulnerability (CVE-2021-45105)
Description
FortiGuard Labs is aware that the Apache Software Foundation released Log4j version 2.17.0 on December 18th 2021 in response to a new Log4j vulnerability (CVE-2021-45105). This is the third Log4j version Apache released since December 10th 2021. CVE-2021-45105 is identified as a Denial of Service (DoS) vulnerability.
Why is this Significant?
This is significant because CVE-2021-45105 is the latest vulnerability in Log4j that was revealed by Apache. Log4j version 2.17.0 marks the third update made by Apache since December 10th in response to a series of Log4j vulnerabilities with two of them being rated as critical.
What is CVE-2021-45105?
Apache describes CVE-2021-45105 as the following:
"Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack".
A CVSS score of 7.5 and severity of high were assigned to the vulnerability.
What Versions of Log4j are Vulnerable?
All Log4j versions from 2.0-beta9 to 2.16.0.
Has the Vendor Released an Advisory for CVE-2021-45105?
Yes, Apache released an advisory for CVE-2021-45105 on December 18th. See Appendix for a link to Fixed in Log4j 2.17.0 (Java 8).
Has the Vendor Released a Fix for CVE-2021-45105?
Yes, Log4j version 2.17.0 was released on December 18th 2021 to fix the issue.
What is the Status of Coverage?
Based on the available Proof-of-Concept code, exploit attempts are detected by IPS signature "Apache.Log4j.Error.Log.Remote.Code.Execution".
Any Suggested Mitigation?
Apache provided the following mitigation information:
Log4j 1.x mitigation
Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation
Implement one of the following mitigation techniques:
Java 8 (or later) users should upgrade to release 2.17.0.
Alternatively, this can be mitigated in configuration:
In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.
Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.
Outbreak Alert
A 0-day exploit was discovered on a popular Java library Log4j2 that can result to a Remote Code Execution (RCE). This is a widely deployed library, and while systems protected by Fortinet Security Fabric are secured by the protections below, all systems need to upgrade ASAP as this is 10.0 severity. Due to the high visibility and attention, subsequent vulnerabilities have since emerged
