https://isc.sans.edu/diary/Log4j+2.15.0+and+previously+suggested+mitigations+may+not+be+enough/28134 Threat Level: green Handler on Duty: Brad Duncan SANS ISC: Log4j 2.15.0 and previously suggested mitigations may not be enough * SANS Site Network + Current Site + SANS Internet Storm Center + Other SANS Sites Help + Graduate Degree Programs + Security Training + Security Certification + Security Awareness Training + Penetration Testing + Industrial Control Systems + Cyber Defense Foundations + DFIR + Software Security + Government OnSite Training InfoSec Handlers Diary Blog [ ] [Search] [ ] [ ] [Log In] Sign Up for Free! Forgot Password? Log In or Sign Up for Free! Log4j 2.15.0 and previously suggested mitigations may not be enough * * * Published: 2021-12-14 Last Updated: 2021-12-14 20:55:02 UTC by Renato Marinho (Version: 1) 4 comment(s) According to a new Apache Log4j security bulletin, version 2.15.0 and the initially suggested mitigation measures do not completely address the Log4Shell in certain custom configurations. It was discovered that version 2.15.0 would still be vulnerable when the configuration has a pattern layout containing a Context Lookup (for example, $${ctx:loginId}), or a Thread Context Map pattern %X, %mdc, or %MDC. In these cases, when the attacker manages to control the Thread Context values, JNDI lookup injections may be possible, resulting in JNDI connections. Version 2.15.0 limited JNDI connections to 'localhost'' but this possibility could result in a denial of service (DoS) or worse. Therefore, a new version (2.16.0) has been made available to completely fix the issue (so far at least) associated with CVE-2021-45046 along with more effective mitigation measures for versions to 2.x versions: * Java 8 (or later) users should upgrade to release 2.16.0. * Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon). * Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/ JndiLookup.class The mitigation measures previously reported, such as setting the log4j2.formatMsgNoLookups variable to 'true', is not considered fully effective. The advisory says: "The reason these measures are insufficient is that, in addition to the Thread Context attack vector mentioned above, there are still code paths in Log4j where message lookups could occur: known examples are applications that use Logger.printf("%s", userInput), or applications that use a custom message factory, where the resulting messages do not implement StringBuilderFormattable. There may be other attack vectors.". So, if you could not upgrade to versions 2.15.0 or 2.16.0 and followed previous mitigations, you are advised to remove JndiLookup class from the log4j-core jar to mitigate the vulnerability. The advisory is available at: https://logging.apache.org/log4j/2.x/ security.html -- Renato Marinho Morphus Labs| LinkedIn|Twitter Keywords: 4 comment(s) Join us at SANS! Attend with Renato Marinho in starting [dev522hori] * previous * next Top of page x Diary Archives * Contact Us + Contact Us + About Us + Handlers * Diary * Podcasts * Jobs * Tools + DShield Sensor + DNS Looking Glass + Honeypot (RPi/AWS) + InfoSec Glossary + Fightback * Data + HTTP Header Activity + TCP/UDP Port Activity + Port Trends + Presentations & Papers + SSH Scanning Activity + SSL CRL Activity + Suspicious Domains + Threat Feeds Activity + Threat Feeds Map + Useful InfoSec Links + Weblogs + Research Papers * Forums + Auditing + Diary Discussions + Forensics + General Discussions + Industry News + Network Security + Penetration Testing + Software Security --------------------------------------------------------------------- [sentinelsquare]https://www.sans.edu Questions? Feedback? Use our contact form or report bugs here For interactive help and to chat with other users, try our Slack group. [slack200] * YouTube * Twitter * LinkedIn * ISC Feed * Shop * Link To Us * About Us * Handlers * Privacy Policy * Back To Top Developers: We have an API for you! Creative Commons License