Log in
Register
Cyber Forum
More options
Toggle width
Share this page
Share this page
Share
Share
Cyber Forum
Log in
Register
More options
Toggle width
Share this page
Share this page
Share
Share
Menu
Install the app
Install
Home
CyberWeekly Podcast
Breaking News! Podcast
Cyber Risk Rating
Forums
New posts
Forum list
Trending
Leaderboards
News Feeds
Resources
Latest reviews
Sophos X-Ops Intelix
Threat Reports
Members
Current visitors
My.CompTIA
Help Documents
Preference Center
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Ian Andriechack" data-source="post: 2487" data-attributes="member: 78"><p>According to a <a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">new Apache Log4j security bulletin</a>, version 2.15.0 and the initially suggested mitigation measures do not completely address the Log4Shell in certain custom configurations. </p><p></p><p>It was discovered that version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc, or %MDC. In these cases, when the attacker manages to control the Thread Context values, JNDI lookup injections may be possible, resulting in JNDI connections. Version 2.15.0 limited JNDI connections to 'localhost’' but this possibility could result in a denial of service (DoS) or worse.</p><p></p><p>Therefore, a new version (2.16.0) has been made available to completely fix the issue (so far at least) associated with CVE-2021–45046 along with more effective mitigation measures for versions to 2.x versions:</p><p></p><ul> <li data-xf-list-type="ul">Java 8 (or later) users should upgrade to release 2.16.0.</li> <li data-xf-list-type="ul">Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).</li> <li data-xf-list-type="ul">Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class</li> </ul><p>The mitigation measures previously reported, such as setting the log4j2.formatMsgNoLookups variable to ‘true’, is not considered fully effective. The advisory says:</p><p></p><p> "<em>The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.</em>".</p><p></p><p>So, if you could not upgrade to versions 2.15.0 or 2.16.0 and followed previous mitigations, <strong>you are advised to remove JndiLookup class from the log4j-core jar</strong> to mitigate the vulnerability. </p><p></p><p>The advisory is available at: <a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">https://logging.apache.org/log4j/2.x/security.html</a></p><p></p><p>Source: <a href="https://isc.sans.edu/diary/rss/28134" target="_blank">https://isc.sans.edu/diary/rss/28134</a></p></blockquote><p></p>
[QUOTE="Ian Andriechack, post: 2487, member: 78"] According to a [URL='https://logging.apache.org/log4j/2.x/security.html']new Apache Log4j security bulletin[/URL], version 2.15.0 and the initially suggested mitigation measures do not completely address the Log4Shell in certain custom configurations. It was discovered that version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc, or %MDC. In these cases, when the attacker manages to control the Thread Context values, JNDI lookup injections may be possible, resulting in JNDI connections. Version 2.15.0 limited JNDI connections to 'localhost’' but this possibility could result in a denial of service (DoS) or worse. Therefore, a new version (2.16.0) has been made available to completely fix the issue (so far at least) associated with CVE-2021–45046 along with more effective mitigation measures for versions to 2.x versions: [LIST] [*]Java 8 (or later) users should upgrade to release 2.16.0. [*]Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon). [*]Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class [/LIST] The mitigation measures previously reported, such as setting the log4j2.formatMsgNoLookups variable to ‘true’, is not considered fully effective. The advisory says: "[I]The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.[/I]". So, if you could not upgrade to versions 2.15.0 or 2.16.0 and followed previous mitigations, [B]you are advised to remove JndiLookup class from the log4j-core jar[/B] to mitigate the vulnerability. The advisory is available at: [URL]https://logging.apache.org/log4j/2.x/security.html[/URL] Source: [URL]https://isc.sans.edu/diary/rss/28134[/URL] [/QUOTE]
Name
Verification
Post reply
Forums
Security
Active Exploits Discussion/Recommendations
Log4j Vulnerability Information
Top
Bottom
Home
Forums
Threat Reports
My.CompTIA
Menu