Apache Log4j Vulnerability Update – Remediation Tools and Patches

This article provides updates from The Cybersecurity and Infrastructure Security Agency (CISA), Apache and Microsoft who continue to work to develop patches and tools to help organizations protect themselves from one of the most severe cybersecurity vulnerabilities on record.

As many of us are just returning to the office from the holiday weekend, cybersecurity professionals around the globe continue to work around the clock to develop tools to identify and remediate Log4j vulnerabilities.

CISA Log4j Scanner Tool

CISA announced the release of a Log4j scanner last week that works to identify web services impacted by the CVE-2021-44228 and CVE-2021-45046 remote code execution vulnerabilities.

The open-sourced tool is based on scanners created by other members of the open-source community, including FullHunt’s automated scanning framework for the CVE-2021-442288 bug. According to CISA, the tool allows security teams to scan network hosts for Log4j RCE exposure and identify web application firewall bypasses that act as entry points for threat actors to potentially gain code execution within the environment.

The scanner is available on the CISA GitHub page at https://github.com/cisagov/log4j-scanner and features include:

  • Support for lists of URLs
  • Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools)
  • Fuzzing for HTTP POST Data parameters
  • Fuzzing for JSON data parameters
  • Supports DNS callback for vulnerability discovery and validation
  • WAF Bypass payloads

CISA also revised the “Alert (AA21-356A) Mitigating Log4Shell and Other Log4j-Related Vulnerabilities” to include mitigation guidance for CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4j vulnerabilities. The revised alert is available at www.cisa.gov/uscert/ncas/alerts/aa21-356a

Apache Fixes and Updates

Apache released Log4j version 2.17.1 this past Monday which fixes a newly discovered remote code execution (CVE-2021-44832) vulnerability. Prior to the release, version 2.17.0 was believed to be the safest release to upgrade to, but the new version is recommended until the next release.

Apache also released patches to contain an arbitrary code execution flaw in Log4j that could be abused by threat actors to run malicious code on affected systems according to Hacker News. Apache has now addressed four key vulnerabilities and updated their notes listed below.  

  • CVE-2021-44228 (CVSS score: 10.0) - A remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.14.1 (Fixed in version 2.15.0)
  • CVE-2021-45046 (CVSS score: 9.0) - An information leak and remote code execution vulnerability affecting Log4j versions from 2.0-beta9 to 2.15.0, excluding 2.12.2 (Fixed in version 2.16.0)
  • CVE-2021-45105 (CVSS score: 7.5) - A denial-of-service vulnerability affecting Log4j versions from 2.0-beta9 to 2.16.0 (Fixed in version 2.17.0)
  • CVE-2021-4104 (CVSS score: 8.1) - An untrusted deserialization flaw affecting Log4j version 1.2 (No fix available; Upgrade to version 2.17.1)
Microsoft Defender Log4j Scanner

Microsoft announced their Defender for Containers and Microsoft Defender received updates to identify and remediate the Log4j vulnerabilities. The Microsoft Security blog “Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability” was updated on December 27th with new information related to Log4j vulnerability tools. Key excerpts from the blog are listed below for the Defender for Containers and Microsoft Defender updates.

Microsoft Defender for Containers

Microsoft Defender for Containers is capable of discovering images affected by the vulnerabilities recently discovered in Log4j 2: CVE-2021-44228CVE-2021-45046, and CVE-2021-45105. Images are automatically scanned for vulnerabilities in three different use cases: when pushed to an Azure container registry, when pulled from an Azure container registry, and when container images are running on a Kubernetes cluster. 

Microsoft Defender for Endpoint

Alerts with the following titles in the Security Center indicate threat activity related to exploitation of the Log4j vulnerability on your network and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms: 

  • Log4j exploitation detected – detects known behaviors that attackers perform following successful exploitation of the CVE-2021-44228 vulnerability
  • Log4j exploitation artifacts detected (previously titled Possible exploitation of CVE-2021-44228) – detects coin miners, shells, backdoor and payloads such as Cobalt Strike used by attackers post-exploitation
  • Log4j exploitation network artifacts detected (previously titled Network connection seen in CVE-2021-44228 exploitation) – detects network traffic connecting traffic connecting to an address associated with CVE-2021-44228 scanning or exploitation activity 
Microsoft Defender for Servers

Microsoft Defender for Cloud’s threat detection capabilities have been expanded to ensure the exploitation of CVE-2021-44228 in several relevant security alerts.

However, reports of the tool capturing false positives started popping up on Twitter shortly after the release. Administrators reported receiving a message reading “Possible sensor tampering in memory was detected by Microsoft Defender for Endpoint”.

Microsoft is currently investigating the situation and is encouraging any users encountering the issue to visit their Microsoft Defender for Endpoint Support page for updates and service requests.

This article is a continuation of our Apache Log4j Vulnerability series, available at https://www.schneiderdowns.com/our-thoughts-on/category/cybersecurity. We encourage you to share our article with your network and reach out with any questions at [email protected]

Apache Log4j CISA Resources

Apache Log4j Web Resources

Related Articles

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].

In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Norton Believes Credential Stuffing Attack Led to LifeLock Breach
Why Cybersecurity Programs are Facing Increased Scrutiny from Private Equity Firms
Start The New Year Off Secure: 5 Cybersecurity Resolutions for 2023
TikTok: Spreading Holiday Cheer and Personal Information
Cybersecurity BY David Murphy
Key Benefits of Server Message Block Signing
SEC and PCAOB Developments Conference Day 1
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.