1.Vulnerability description
Log4j is an open source log component implemented by Apache. Logback is also designed by the author of log4j. It has better features and is a log framework used to replace log4j. It is the native implementation of slf4j. Log4j2 is an improved version of log4j 1.x and logback. It is said to have adopted some new technologies (lock-free asynchronous, etc.), making the log throughput and performance 10 times higher than log4j 1.x, and solving some deadlock problems. bugs, and the configuration is simpler and more flexible. This log framework is widely used in business systems to record log information. The Apache Log4j2 component has once again been exposed to a denial of service vulnerability.Vulnerability number: CVE-2021-45105, vulnerability threat level: high risk
Apache Log4j2 versions including 2.16.0 do not prevent uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default schema layout and context lookup (for example, $${ctx:loginId}), an attacker who controls the thread context map (MDC) input data can manually create malicious input data that contains a recursive lookup, resulting in StackOverflowError will terminate the process. This is also known as a DOS (Denial of Service) attack.
Since the Apache log4j2 remote code execution vulnerability (CVE-2021-44228) was widely spread on the Internet on December 9, multiple security vulnerabilities have been discovered in Apache log4j2-related components, and officials have successively released 2.15.0-rc1 and 2.15 .0-rc2, 2.15.0, 2.15.1-rc1, 2.16.0, 2.17.0 and other upgraded versions.
2. Supply chain impact
According to non-authoritative statistics, there are estimated to be more than 170,000 open source components that directly and indirectly reference Log4j. Currently known affected applications and components include: Apache Solr, Apache Struts2, Apache Flink, Apache Druid, Apache Log4j SLF4J Binding, spring-boot-strater-log4j2, Hadoop Hive, ElasticSearch, Jedis, Logging, Logstash and VMware and more products, etc.
Since the impact of this vulnerability is global, the products of major foreign well-known companies and organizations are affected, such as Amazon, Apache, Atlassian, Cisco, Debian, Docker, Fortinet, Google, IBM, Intel, Juniper Networ, Microsoft, Oracle, Red Hat, Ubuntu and VMware, etc.
The CVE-2021-44228 vulnerability is easy to exploit, the default configuration can be exploited remotely, and the PoC/EXP has been made public on the Internet, and has been widely exploited by cybercriminal groups.
3. Scope of impact of the vulnerability
CVE-2021-4104: Apache Log4j 1.2
CVE-2021-44228: Apache Log4j 2.0-beta9 – 2.12.1, Apache Log4j 2.13.0 – 2.15.0-rc1
CVE-2021-45046: Apache Log4j 2.0-beta9 – 2.12.1, Apache Log4j 2.13.0-2.15.0
4.Affected version
CVE-2021-44228 Apache Log4j remote code execution vulnerability:
2.0-beta9 <=Apache Log4j 2.x < 2.15.0 (version 2.12.2 is not affected)
CVE-2021-45046 Apache Log4j Denial of Service and Remote Code Execution Vulnerability:
2.0-beta9 <=Apache Log4j 2.x < 2.15.0 (version 2.12.2 is not affected)
CVE-2021-4104 ApacheLog4j 1.2 JMSAppender remote code execution vulnerability:
Apache Log4j =1.2
CVE-2021-45105 Apache Log4j2 Denial of Service Vulnerability:
2.0-beta9 <=Apache Log4j<= 2.16.0
5. Repair suggestions:
1. Official upgrade to the latest version
https://github.com/apache/logging-log4j2/tags
2. Deploy RASP (Runtime application self-protection) for runtime application self-protection.
6. Reference:
https://www.venustech.com.cn/new_type/aqtg/20211216/23340.html
https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524
https://github.com/jas502n/Log4j2-CVE-2021-44228
https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/apache-log4j2-component-denial-of-service.html
