The information below was sent to U-M IT groups via email on December 10, 2021. It is intended for U-M IT staff who are responsible or university servers running the Apache Log4j Java-based logging utility, or running applications that have Log4j embedded.
Summary
A zero-day exploit is affecting the Apache Log4j utility that could result in remote code execution. Update Log4j to version 2.15.0 or mitigate exploits as soon as possible. Log4j is a component of many commercial, java-based software applications, which may also be affected. Be aware of vendor updates for these packages and apply patches as quickly as possible.
Problem
Log4j is a Java-based logging library maintained by the Apache Software Foundation. According to the Cloudflare Blog, “In the affected Log4j versions, Java Naming and Directory Interface (JNDI) features used in configuration, log messages, and parameters can be exploited by an attacker to perform remote code execution. Specifically, an attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.”
Affected Versions
Apache Log4j 2.0-beta9 up to 2.14.1
Action Items
-
The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
-
Log4J is embedded in a large number of commercial software applications. Be aware of any vendor updates for these packages and apply patches as quickly as possible.
-
Update to version 2.15.0 of Apache Log4j as soon as possible after appropriate testing.
-
If updating to the latest version is not possible, mitigate exploit attempts by setting the system property "log4j2.formatMsgNoLookups" to “true”; or remove the JndiLookup class from the classpath.
-
If you are using Cloudflare WAF, you can help mitigate any exploit attempts via three newly deployed rules.
Threats
Exploit code is publicly available, widespread scanning for vulnerable systems is occurring, and this vulnerability is being exploited actively in the wild.
Technical Details
For details, see Apache Log4j Security Vulnerabilities.
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
-
Security warning: New zero-day in the Log4j Java library is already being exploited, ZDNet, 12/10/21
-
Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet, Ars Technica, 12/10/21
-
New zero-day exploit for Log4j Java library is an enterprise nightmare, Bleeping Computer, 12/10/21
-
CVE-2021-44228 - Log4j RCE 0-day mitigation, Cloudflare Blog, 12/10/21
-
Download Apache Log4j 2, Log4j, 12/6/21
-
RCE in log4j, Log4Shell, or how things can get bad quickly, Internet Storm Center, 12/10/21
-
Apache Log4j Security Vulnerabilities, Log4j, 12/6/21
-
CVE-2021-44228, Mitre Corporation, 11/26/21