ALERT: Update Apache Log4j utility to address zero-day vulnerability

12/10/2021

The information below was sent to U-M IT groups via email on December 10, 2021. It is intended for U-M IT staff who are responsible or university servers running the Apache Log4j Java-based logging utility, or running applications that have Log4j embedded.

Summary

A zero-day exploit is affecting the Apache Log4j utility that could result in remote code execution. Update Log4j to version 2.15.0 or mitigate exploits as soon as possible. Log4j is a component of many commercial, java-based software applications, which may also be affected. Be aware of vendor updates for these packages and apply patches as quickly as possible.

Problem

Log4j is a Java-based logging library maintained by the Apache Software Foundation. According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”

Affected Versions

Apache Log4j 2.0-beta9 up to 2.14.1

Action Items

  • The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

  • Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.

  • Update to version 2.15.0 of Apache Log4j as soon as possible after appropriate testing.

  • If updating to the latest version is not possible, mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or remove the JndiLookup class from the classpath.

  • If you are using Cloudflare WAF, you can help mitigate any exploit attempts via three newly deployed rules.

Threats

Exploit code is publicly available, widespread scanning for vulnerable systems is occurring, and this vulnerability is being exploited actively in the wild.

Technical Details

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious EmailSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

Security