Jump to content
Nytro

The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think

Recommended Posts

Posted

The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think

Attacks against 2.15 and the CLI fix require a non-standard logging config

By DANIEL MIESSLER in INFORMATION SECURITY
CREATED/UPDATED: DECEMBER 18, 2021

Home / Information Security / The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think

 

log4j non default

If you’re reading this you’re underslept and over-caffeinated due to log4j. Thank you for your service.

I have some good news.

I know a super-smart guy named d0nut who figured something out like 3 days ago that very few people know.

Once you have 2.15 applied—or the CLI implementation to disable lookups—you actually need a non-default log4j2.properties configuration to still be vulnerable!

Read that again.

The bypasses of 2.15 and the NoLookups CLI change don’t affect people unless they have non-defalt logging configurations. From the Apache advisory:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern. apache project security advisory

“Certain non-default configurations”. I’ve never heard a sweeter set of syllables.

These can also be set in log4j2.xml or programatically.

So you need to have changed your configs to include patterns like:

 

$${ctx:loginId}
${ctx
${event
${env

 

…etc to be vulnerable to a 2.15 patch level or a log4j2.formatMsgNoLookups or LOG4J_FORMAT_MSG_NO_LOOKUPS = true bypass!

That’s huge! And Nate figured this out like 4 days ago!

 

 

He mentioned to me multiple times this wasn’t as bad as people thought, but he wasn’t shouting from the rooftops so I didn’t listen well enough. Shame on me.

He also happens to have a strong meme game.

 

 

Summary

  1. The first vuln was just as bad as everyone thinks it is. Or worse. It did not require this non-default logging configuration.
  2. But if you are patched to 2.15, or mitigated with the NoLookup config, you are no longer vulnerable unless you ALSO have a logging config option set in your log4j2.properties file that re-enables them.
  3. So, if you’re already patched to 2.15 and/or have the mitigation in place, and don’t have non-standard configs—which you should confirm—you might be able to sleep for a bit.
  4. And of course of course—keep in mind that this all only pertains to vulnerabilities we know about today. And the internet moves fast.
  5. Finally, d0nut is awesome and you should follow his work.

Notes

  1. This also applies to the DoS that 2.17 addresses.
  2. Thanks to Nate for the great find!

 

 

divider.png

 

Written By Daniel Miessler

Daniel Miessler is a cybersecurity leader, writer, and founder of Unsupervised Learning. He writes about security, tech, and society and has been featured in the New York Times, WSJ, and the BBC.

 

Sursa: https://danielmiessler.com/blog/the-second-wave-of-log4j-vulnerabilities-werent-nearly-as-bad-as-people-think/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...