Apache Log4j Vulnerability Update – Remediation Tools and Patches

This article provides updates from The Cybersecurity and Infrastructure Security Agency (CISA), Apache and Microsoft who continue to work to develop patches and tools to help organizations protect themselves from one of the most severe cybersecurity vulnerabilities on record.

As many of us are just returning to the office from the holiday weekend, cybersecurity professionals around the globe continue to work around the clock to develop tools to identify and remediate Log4j vulnerabilities.

CISA Log4j Scanner Tool

CISA announced the release of a Log4j scanner last week that works to identify web services impacted by the CVE-2021-44228 and CVE-2021-45046 remote code execution vulnerabilities.

The open-sourced tool is based on scanners created by other members of the open-source community, including FullHunt’s automated scanning framework for the CVE-2021-442288 bug. According to CISA, the tool allows security teams to scan network hosts for Log4j RCE exposure and identify web application firewall bypasses that act as entry points for threat actors to potentially gain code execution within the environment.

The scanner is available on the CISA GitHub page at https://github.com/cisagov/log4j-scanner and features include:

• Support for lists of URLs
• Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools)
• Fuzzing for HTTP POST Data parameters
• Fuzzing for JSON data parameters
• Supports DNS callback for vulnerability discovery and validation
• WAF Bypass payloads

CISA also revised the “Alert (AA21-356A) Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” to include mitigation guidance for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j vulnerabilities. The revised alert is available at www.cisa.gov/uscert/ncas/alerts/aa21-356a. 

Apache Fixes and Updates

Apache released Log4j version 2.17.1 this past Monday which fixes a newly discovered remote code execution (CVE-2021-44832) vulnerability. Prior to the release, version 2.17.0 was believed to be the safest release to upgrade to, but the new version is recommended until the next release.

Apache also released patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems according to Hacker News. Apache has now addressed four key vulnerabilities and updated their notes listed below.  

• CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
• CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
• CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
• CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)

Microsoft Defender Log4j Scanner

Microsoft announced their Defender for Containers and Microsoft Defender received updates to identify and remediate the Log4j vulnerabilities. The Microsoft Security blog “Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability” was updated on December 27^th with new information related to Log4j vulnerability tools. Key excerpts from the blog are listed below for the Defender for Containers and Microsoft Defender updates.

Microsoft Defender for Containers

Microsoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105. Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster. 

Microsoft Defender for Endpoint

Alerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j vulnerability on your network and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms: 

• Log4j exploitation detected – detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability
• Log4j exploitation artifacts detected (previously titled Possible exploitation of CVE-2021-44228) – detects coin miners, shells, backdoor and payloads such as Cobalt Strike used by attackers post-exploitation
• Log4j exploitation network artifacts detected (previously titled Network connection seen in CVE-2021-44228 exploitation) – detects network traffic connecting traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity 

Microsoft Defender for Servers

Microsoft Defender for Cloud’s threat detection capabilities have been expanded to ensure the exploitation of CVE-2021-44228 in several relevant security alerts.

However, reports of the tool capturing false positives started popping up on Twitter shortly after the release. Administrators reported receiving a message reading “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint”.

Microsoft is currently investigating the situation and is encouraging any users encountering the issue to visit their Microsoft Defender for Endpoint Support page for updates and service requests.

This article is a continuation of our Apache Log4j Vulnerability series, available at https://www.schneiderdowns.com/our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected]. 

Apache Log4j CISA Resources

• CISA Apache Log4j Vulnerability Guidance
• CISA Log4j (CVE-2021-44228) Vulnerability Guidance Github Repository

Apache Log4j Web Resources

• Apache – Log4j Security Vulnerability Center
• GitHub – BlueTeam CheatSheet * Log4Shell*
• Github – Log4j RCE Exploitation Detection

Related Articles

• Apache Log4j Vulnerability Update
• Apache Log4j Vulnerability Update – Government Responses and Ransomware Activity
• Apache Log4j Vulnerability Update – CISA Issues Emergency Directive

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.