virus logo Threat Signal Report

Log4j 2.17.1 Released for CVE-2021-44832

Description

NOTE: 12/30 IPS signature information added

FortiGuard Labs is aware of a newly disclosed remote code execution vulnerability affecting Log4j. Assigned CVE-2021-44832, this vulnerability allows for a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.


There has been confusion on Twitter as to whether this is actually a remote code execution (RCE) or arbitrary code execution (ACE) vulnerability. Researcher Yaniv Naziry (@YNizry) initially stated today that a new RCE vulnerability related to Log4j is to be announced, and later retracted their initial statement confirming that it is indeed arbitrary code execution and not remote code execution.


Compounding matters, Apache classifies CVE-2021-44832 as a remote code execution vulnerability. In the writeup for CVE-2021-44832, Apache states that the attacker needs permission to "modify the logging configuration file" to successfully exploit this vulnerability which is not indicative of an RCE. CVE-2021-44832 is fixed in Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6).


What is Arbitary Code Execution and Remote Code Execution?

Arbitrary code execution (ACE) results from a flaw in software or hardware that allows for an attacker to target a specific machine or process to run code of their choice. Remote Code Execution (RCE) allows for an attacker to arbitrarily execute code remotely on a wide area network, such as the Internet.


What Versions of Log4J are Affected?

All versions from 2.0-alpha7 to 2.17.0, excluding 2.3.2 and 2.12.4.


What is the CVSS Score?

6.6 (MODERATE)


What is the Status of Coverage?

Customers running the latest IPS definitions (19.231) are protected against exploitation of CVE-2021-44832 by the following signature:

Apache.Log4j.Error.Log.Configuration.File.Remote.Code.Execution


What Mitigation is Suggested?

According to Apache, the following Mitigation is available:


Log4j 1.x mitigation

Log4j 1.x is not impacted by this vulnerability.


Log4j 2.x mitigation

Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).

In prior releases confirm that if the JDBC Appender is being used it is not configured to use any protocol other than Java. Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.

description-logoOutbreak Alert

A 0-day exploit was discovered on a popular Java library Log4j2 that can result to a Remote Code Execution (RCE). This is a widely deployed library, and while systems protected by Fortinet Security Fabric are secured by the protections below, all systems need to upgrade ASAP as this is 10.0 severity. Due to the high visibility and attention, subsequent vulnerabilities have since emerged

View the full Outbreak Alert Report

Appendix

Apache Log4j Security Vulnerabilities (Apache)

@YNizry (Twitter)


ID 85
Date Dec 28, 2021
Outbreak Alert Log4j2 Vulnerability
Threat/
Vulnerability		 Code Execution
FortiGate Device Triggered N/A
Threat Actor Type N/A
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert