Critical remote code execution vulnerability found in Log4j library

Australian Cyber Security Centre

This is an update to Alert the ACSC issued on 10 December 2021.

A vulnerability (CVE-2021-44228) exists in certain versions of the Log4j library. A malicious cyber actor could exploit this vulnerability to execute arbitrary code.

Australian organisations should apply latest patches immediately where Log4j is known to be used.

If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available.

As of 14 December 2021, the ACSC is aware of targeting and compromise of organisations using this vulnerability globally and in Australia.

Malicious cyber actors have used this vulnerability to target and compromise systems globally and in Australia. As of 15 December 2021, the ACSC has published an advisory regarding mitigation and detection recommendations.

Background /What has happened?

A remote code execution vulnerability (CVE-2021-44228) has been identified in the Log4j library, one of the most widely used Java-based logging utilities globally, with a detailed outline of the vulnerability being published via a security blog post.

Proof-of-concept code to exploit this vulnerability is publicly available on GitHub, and additional technical specifications have been published by Red Hat.

Due to the popularity and widespread use of the Log4j2 library in popular frameworks a large number of third-party apps may also be vulnerable to exploitation.

The ACSC is aware of scanning attempts to locate vulnerable servers. As of 14 December 2021, the ACSC is aware of targeting and compromise of organisations using this vulnerability globally and in Australia. This vulnerability is trivial to exploit.

Detection

Australian organisations should identify vulnerable applications and services running in their environment using techniques described or via lists of vulnerable products. The ACSC further recommends that organisations check the logs of these systems for evidence of exploitation attempts using these techniques.

System administrators should check potentially vulnerable servers for outbound traffic to hosts outside the local network which may indicate communication with command and control nodes or traffic to internal hosts indicating attempts of lateral movement. If present, any activity detected using this method warrants further investigation.

Mitigation / How do I stay secure?

The ACSC strongly recommends the implementation of the ASD Essential Eight mitigations to mitigate threats to internet facing systems. Specifically for this vulnerability, maintaining a regular patch process and validating the application of patches reduces the risk of exploitation and is an essential part of a mature cyber program.

Australian organisations using systems which feature Log4j as a component, the ACSC recommends seeking vendor guidance on patching the system.

If you are a developer of any affected software, the ACSC advises early communication with your customers to enable them to apply mitigations and install updates where they are available.

Australian organisations who utilise Log4j versions prior to 2.15.0 should update to the latest available version. However, where a patch cannot be applied immediately Australian organisations should make use of the mitigation suggestions available.

Australian organisations are additionally recommended to pursue the following actions to limit the chance of exploitation or extent of compromise:

  • Implement network segmentation and segregation of affected hosts;
    • Specifically for this vulnerability, configure network access rules to prevent vulnerable hosts from initiating requests to all JNDI related naming services;
    • If practical, disable outbound connections from the vulnerable hosts to the internet;
    • Isolate hosts running vulnerable applications to prevent lateral movement;
  • Configure a Web Application Firewall (WAF) to drop identified malicious user controlled log2j entries;
  • Develop a patch prioritisation strategy that focuses on internet facing systems.

Assistance / Where can I go for help?

/Public Release. View in full here.