Log4j Critical Vulnerability

Last updated - 01/03/2021

This vulnerability knowledge base only applies to applications and servers running Java and only to log4j.  The following actions only apply to Department and Research System, Server, and Application Administrators. Due to a new security vulnerability, please check your Java libraries for log4j and take the actions outlined below as appropriate. This critical new vulnerability could lead to an attacker gaining control of your server.  No action required for all other users.

Description: On Thursday, December 9th, news broke about the "Log4shell" vulnerability. This high severity vulnerability allows for unauthenticated remote code execution in systems running Apache Log4j 2.17.0 or below. Within hours of the advisory release, cybercriminals started exploiting the vulnerability to execute ransomware attacks.  Within 2 days over 250 organizations including Apple, Twitter, and Microsoft had been successfully attacked.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA)  issued an emergency directive requiring Federal agencies to immediately mitigate Apache Log4j vulnerabilities.

ITS engineering and internal security teams collaboratively reviewed our systems and patched Log4J instances or put in mitigating controls on critical systems.  To help protect our systems and data over the holiday break, the Executive Team authorized extreme measures to block connections to externally facing servers from the internet. While several patches were issued during this time, every week has brought announcements of additional vulnerabilities in this software.

Evidence from our firewalls indicates that these blocks are being constantly bombarded with ransomware attempts. Should one of these attacks succeed the cost to Mines is likely to exceed $5Millon including a 3 week period with no IT services.  To avoid this impact, every externally facing server must be reviewed for the presence of log4j and mitigated before opening the service back up to the internet.

Required Actions: System administrators with servers on the Mines’ network must check their servers and any software to see if the Apache Log4j library is present or being used by any software running on the machine, including software written by a vendor. If log4j is present, it must be mitigated by updating to the appropriate, patched version before the connection to the internet can be safely restored through whitelisting on the firewall.

  1. Scan for the presence of log4j on the server using the following cross platform scripts:
  2. Mitigate any vulnerable instances of log4j
    • Eliminate the file or use the patches in the table below.
    • If you are using a third party or cloud application, contact your vendor to see if this vulnerability applies to their application and what their plans are to fix it.  Only use this option for applications that you own.  ITS has already taken action to protect common applications like email, Banner, etc.
  3. Provide the scan results, a summary of the actions taken, and any attestations from software or cloud vendors that the software is not vulnerable or has been patched in a Log4j Firewall Whitelist or Change Request.

CVE

Patched in 
(Java 8+)*
Severity

CVSS Score

Brief Description of Vulnerability

CVE-2021-44832

 

2.17.1

Moderate

6.6/10.0

RCE (Remote Code Execution where an attacker HAS modify permissions against the logging configuration file)

CVE-2021-45105

2.17.0 Moderate

5.9/10.0

DoS (Denial of Service through a recursive look-up resulting in a StackOverflowError)

CVE-2021-45046

2.17.3 Critical

9.0/10.0

Local code execution in all vulnerable environments, information leak & RCE (Remote Code Execution) across some environments (vendor question: what's the status of OUR environments?)

CVE-2021-44228

2.17.0 Critical

10.0/10.0

RCE (Remote Code Execution)

* - if using Java 6 or 7, please reference https://logging.apache.org/log4j/2.x/security.html for patched version information 

 

Additional Information: You can find additional information on the Log4j vulnerability and additional mitigation actions at these sites:

If you have questions about this vulnerability please contact via email at security@mines.edu.

Details

Article ID: 137232
Created
Fri 12/10/21 1:07 PM
Modified
Wed 1/5/22 4:34 PM