On December 9, 2021 a serious vulnerability in the Java-based logging package Log4j was disclosed. This is a remote code execution (RCE) vulnerability, meaning that it allows an attacker to install and execute code on a vulnerable server. The vulnerability is CVE-2021-44228 and it affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.15.0. The logging package Log4j is very widely used in applications. The combination of wide exposure, ease of execution and impact severity make this the most serious vulnerability in recent years.
Harmony Purple has been updated to identify systems that have this exposure. Orchestra Group recommends customers take immediate action to address this issue. Details below.
Identifying and Addressing the Vulnerability Using Harmony Purple
On December 12 Harmony Purple was updated to discover this vulnerability and report on any exposed systems. All Harmony Purple customers were notified to update their Harmony Purple server and perform a scan as soon as possible to identify vulnerable systems in their environment and patch immediately. Customers with further questions or concerns should contact Orchestra Group.
The logging package from Apache, Log4j, is very widely used by java developers and is ubiquitous within commercial internet services, banking applications, enterprise applications and so on.
Log4j allows for user supplied input to be logged. For example, an application might log username input. This alone does not cause the vulnerability. The issue arises because within the Log4j package there is a feature (on by default) that enables user provided content as input to perform a lookup in a directory service such as LDAP. Such input can instruct the Log4j service to perform a lookup on a remote LDAP server and then accept the output of the lookup into its java environment. The attacker supplies an input string that instructs the Log4j service to submit the lookup request to an LDAP server which is under the attacker’s control. The response from that LDAP server contains malicious code which Log4j accepts into its runtime environment.
There are basically two ways to address this issue. First is to upgrade to the latest version (2.15.0-rc2) of Apache log4j-rc2 on all systems. The logging feature is disabled by default in this version. Alternatively, the logging feature can be disabled in earlier versions. Details of how to do this are provided by Apache: https://logging.apache.org/log4j/2.x/security.html