CVE-2021-44832: RCE in log4j 2.17.0

[adammike]

log4j 2.17.1 has been released to resolve CVE-2021-44832, a new RCE

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

[naudob]

Do we know if a newer version to detect this new vulnerability will be released as well?
Thanks!

[xeraph]

@adammike @naudob I'm on it. With in 1 hour.

[xeraph]

@adammike @naudob Would you test v2.6.5 release?

[naudob]

Thanks @xeraph appreciate it - will let you know. Do you happen to know if there's one to run for 32bit?

[xeraph]

@naudob No.. graalvm does not support native image build for 32bit. Use JAR version instead.
See oracle/graal#1329

[miyou361]

Love this tool! - Was curious since deleting the JDBCAppender class would mitigate CVE-2021-44832, why not make that a switch in the tool for users to have a temporary mitigation while they work on getting the full patch?

[xeraph]

@miyou361 Unlike JMSAppender, JDBC logging is more common configuration. I need more user feedback.
I don't think CVE-2021-44832 is serious threat. If any one can edit configuration file, it is already breached.

[arnarthor88]

Tested on a few servers. Successfully detected 2.17 version on them.
I'm curious, does the scanner just detect that the log4j version is 2.17 or does it search for certain vulnerable configuration within version 2.17 ? :) @xeraph

C:\admin>log4j2-scan.exe --all-drives
Logpresso CVE-2021-44228 Vulnerability Scanner 2.6.5 (2021-12-29)
Scanning drives: C:\, F:\

Running scan (10s): scanned 6412 directories, 20149 files, last visit: ***REDACTED***
Running scan (20s): scanned 13988 directories, 53841 files, last visit: ***REDACTED***
Running scan (30s): scanned 20557 directories, 94922 files, last visit: ***REDACTED***
Running scan (40s): scanned 23369 directories, 114471 files, last visit: C:\Program Files\Microsoft SDKs\Azure\.NET SDK\v2.9\bin\runtimes\NET45\base\x86
Skipping broken jar file C:\Program Files (x86)\Android\android-sdk\build-tools\28.0.3\lib\apksigner.jar ('unsupported feature data descriptor used in entry META-INF/')
Skipping broken jar file C:\Program Files (x86)\Android\android-sdk\build-tools\28.0.3\lib\dx.jar ('unsupported feature data descriptor used in entry META-INF/')
Skipping broken jar file C:\Program Files (x86)\Android\android-sdk\build-tools\29.0.2\lib\apksigner.jar ('unsupported feature data descriptor used in entry META-INF/')
Skipping broken jar file C:\Program Files (x86)\Android\android-sdk\build-tools\29.0.2\lib\dx.jar ('unsupported feature data descriptor used in entry META-INF/')
Running scan (50s): scanned 26488 directories, 131679 files, last visit: C:\Program Files (x86)\Android\android-sdk\platforms\android-28
Running scan (60s): scanned 31806 directories, 153129 files, last visit: C:\Program Files (x86)\Android\android-sdk\tools\lib\monitor-x86\plugins
Running scan (70s): scanned 32019 directories, 155580 files, last visit: C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\actionsite\__Local
Running scan (80s): scanned 47036 directories, 193113 files, last visit: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\ModelBuilder\AzCopyService\fr
Running scan (90s): scanned 51829 directories, 228482 files, last visit: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VisualStudio\NodeJs\node_modules\npm\node_modules\cliui
Running scan (100s): scanned 56943 directories, 257466 files, last visit: C:\Program Files (x86)\Windows Kits\10\Lib\10.0.17763.0\um\arm64
Running scan (110s): scanned 65237 directories, 279392 files, last visit: C:\ProgramData\JetBrains\TeamCity\system\artifacts\***REDACTED***
Running scan (120s): scanned 76279 directories, 297007 files, last visit: C:\ProgramData\JetBrains\TeamCity\system\artifacts\***REDACTED***
[*] Found CVE-2021-44832 (log4j 2.x) vulnerability in C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\Octopus.TeamCity\server\log4j-core-2.17.0.jar, log4j 2.17.0
Running scan (130s): scanned 79502 directories, 318127 files, last visit: C:\ProgramData\JetBrains\TeamCity\system\caches\pluginsDslCache\jars\python-runner
Running scan (141s): scanned 83266 directories, 339253 files, last visit: C:\TeamCity\.old\webapps\ROOT\WEB-INF\lib
Running scan (171s): scanned 83538 directories, 340253 files, last visit: C:\TeamCity\.old\webapps\ROOT\WEB-INF\plugins\dotNetRunners\agent
Running scan (181s): scanned 83718 directories, 341555 files, last visit: C:\TeamCity\buildAgent\lib\spring-scripting
[*] Found CVE-2021-44832 (log4j 2.x) vulnerability in C:\TeamCity\buildAgent\plugins\Octopus.TeamCity\lib\log4j-core-2.17.0.jar, log4j 2.17.0
Running scan (191s): scanned 83987 directories, 342838 files, last visit: C:\TeamCity\buildAgent\plugins\s3-artifact-storage-agent\lib
[*] Found CVE-2021-44228 (log4j 2.x) vulnerability in C:\TeamCity\buildAgent\tools\jps\lib\scala-plugin\incremental-compiler.jar, log4j 2.8.1 (mitigated)
Running scan (201s): scanned 84939 directories, 346709 files, last visit: C:\TeamCity\buildAgent\work\9b4ff4202777acb3\Core\Cts.Core.Mobile.Droid\obj\Release\100\lp\34\jl\bin
Running scan (211s): scanned 94463 directories, 375333 files, last visit: C:\TeamCity\lib
Running scan (223s): scanned 94888 directories, 378856 files, last visit: C:\TeamCity\webapps\ROOT\WEB-INF\plugins\.unpacked\configs-dsl\dokka
Running scan (243s): scanned 95165 directories, 379856 files, last visit: C:\TeamCity\webapps\ROOT\WEB-INF\plugins\dotNetRunners\server
Running scan (253s): scanned 96820 directories, 389158 files, last visit: C:\Temp\TagReader\Release\100\lp\16\jl\bin
Running scan (263s): scanned 104014 directories, 402534 files, last visit: C:\Users\***REDACTED***
Running scan (273s): scanned 118558 directories, 427400 files, last visit: C:\Users\***REDACTED***
Running scan (283s): scanned 138436 directories, 462925 files, last visit: C:\Users\***REDACTED***
Running scan (293s): scanned 152823 directories, 483752 files, last visit: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\***REDACTED***
Running scan (303s): scanned 176952 directories, 516240 files, last visit: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\***REDACTED***
Running scan (313s): scanned 199649 directories, 550885 files, last visit: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\***REDACTED***
Running scan (323s): scanned 211996 directories, 587493 files, last visit: C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2330.1.9\amd64_microsoft-windows-fsutil.resources_31bf3856ad364e35_10.0.17763.1852_fr-fr_59085c0493c65132\r
Running scan (336s): scanned 234506 directories, 643048 files, last visit: C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~17763.2366.1.5
Running scan (374s): scanned 264331 directories, 724133 files, last visit: C:\Windows\servicing\Packages
Running scan (385s): scanned 266743 directories, 784170 files, last visit: C:\Windows\WinSxS
Running scan (395s): scanned 285672 directories, 822326 files, last visit: C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_users_res_b03f5f7f11d50a3a_4.0.15744.161_none_d2b089d7b1df473e
Running scan (411s): scanned 287950 directories, 867967 files, last visit: C:\Windows\WinSxS\Manifests
Running scan (421s): scanned 304358 directories, 910571 files, last visit: C:\Windows\WinSxS\Temp\InFlight\c70c269d6035d701812300005424a801\amd64_microsoft-windows-mfcore_31bf3856ad364e35_10.0.17763.1697_none_3e4d9d2029126362\f
Running scan (431s): scanned 331500 directories, 924967 files, last visit: C:\Windows\WinSxS\x86_microsoft-windows-s..-installers-onecore_31bf3856ad364e35_10.0.17763.611_none_0482d640729e2287

Scanned 333377 directories and 928594 files
Found 2 vulnerable files
Found 0 potentially vulnerable files
Found 1 mitigated files
Completed in 432.82 seconds

[naudob]

@xeraph @arnarthor88 I also had a similar question. If we ran the previous version for mitigations up to 2.16, does that mean they are mitigated for this new vulnerability since the files were archived or do we need to run the new one to remove certain files for this new vulnerability? Thanks

[xeraph]

@arnarthor88 The scanner just check version.

@naudob If you already ran scanner and fixed 2.16 or below log4j 2.x binaries or log4j 1.x binaries, there is no futher mitigation patch.

[naudob]

Thanks @xeraph appreciate your great work. So just to confirm if I have a server and I ran the previous Logpresso version where it detects up to to 2.15 or 2.16, and my current server does not have version 2.17, I do not need to re-run again? Thank you

[xeraph]

@naudob Sure.

[miyou361]

@xeraph - Understood on increased potential app breakage due to more broad use of JDBCAppender, hence suggestion as making it an option (flag) to remove just like v1 fix. One item along this same train of thought is that I believe a number of people may not understand what specific CVE's are actually mitigated when the fix flag and v1 flag is set, so I've taking a stab at it here:

The following CVE's are NOT mitigated by any of the current tool fix options:

• Log4j v2 - CVE-2021-45105 (ContextMapLookup?), CVE-2021-44832 (JDBCAppender)
• Logback - CVE-2021-42550

The following CVE's ARE mitigated when all current fix flags are used:

• Log4j v2 -CVE-2021-44228 (JndiLookup), CVE-2021-45046 (JndiLookup)
• Log4j v1 - CVE-2021-4104 (JMSAppender), CVE-2019-17571 (SocketServer), CVE-2017-5645(SocketServer), CVE-2020-9488(SMTPAppender)

Might be helpful to slightly modify the project overview text to directly state which items are only detected, vs which ones can be mitigated with the tool. I welcome correction on the above if appropriate.

[xeraph]

@miyou361 Added --fix coverage to README. Thank you for suggestion.