OA4MP, SciTokens, and Log4j Remote Command Execution Vulnerability (CVE-2021-44228)
Basney, Jim
Regards,
Jim
________________________________________
From: cv-announc...@list.iu.edu <cv-announc...@list.iu.edu> on behalf of Terry Fleury <tfl...@illinois.edu>
Sent: Friday, December 10, 2021 10:11 AM
To: cv-an...@trustedci.org
Subject: [cv-announce-l] Log4j Remote Command Execution Vulnerability (CVE-2021-44228)
CI Operators and Developers:
A high severity vulnerability (CVE-2021-44228 [1]) impacting multiple versions of the Apache Log4j logging library has been discovered [2]. Successful exploitation of this vulnerability can result in unauthenticated Remote Command Execution (RCE) [3].
Impact:
Any configuration which allows a remote connection to supply arbitrary data that is written to log files by an application using the Log4j library is susceptible to exploitation. Depending on what code is present on the server, an attacker could leverage this code to execute a payload [4].
Affected Software:
Apache Log4j < 2.15.0
Recommendation:
Upgrade all projects using Apache Log4j to the latest version 2.15.0 [5].
If you are using Log4j v2.10.0 or higher, you can mitigate the issue by adding an option "-Dlog4j2.formatMsgNoLookups=true" to your JVM startup script, often set via JAVA_OPTS.
Log4j2 versions before 2.10.0 can mitigate the issue by removing the JndiLookup.class from the log4j-core Jar file:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
Log4j v1.x is an End of Life product which will not be receiving a patch. It is recommended to update to Log4j v2.15.0 [6].
To check logs for attack attempts:.
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
If you use Splunk, you can detect attack attempts by adding an alert for:
("jndi:ldap" OR "jndi:rmi" OR "jndi:dns")
As this issue is quite new, it's likely any projects impacted by the vulnerability will be upgrading their Log4j dependency soon. It is recommended to update any such software when releases are available.
References:
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
[2] https://www.randori.com/blog/cve-2021-44228/
[3] https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
[4] https://www.lunasec.io/docs/blog/log4j-zero-day/
[5] https://logging.apache.org/log4j/2.x/security.html
[6] https://logging.apache.org/log4j/2.x/manual/migration.html
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
Basney, Jim
https://github.com/ncsa/OA4MP/releases/tag/v5.2.2p1
https://github.com/scitokens/scitokens-java/releases/tag/v1.2.1p1
If you run into any trouble with them or have any other feedback, please let me know.
Regards,
Jim
________________________________________
From: Basney, Jim <jba...@illinois.edu>
Sent: Friday, December 10, 2021 10:35 AM
To: SciTokens Discussion
Subject: OA4MP, SciTokens, and Log4j Remote Command Execution Vulnerability (CVE-2021-44228)
You received this message because you are subscribed to the Google Groups "SciTokens Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@scitokens.org.
To view this discussion on the web visit https://groups.google.com/a/scitokens.org/d/msgid/discuss/PH0PR11MB4774DD355E6473E0E342FF61D3719%40PH0PR11MB4774.namprd11.prod.outlook.com.
Basney, Jim
Sent: Friday, December 10, 2021 12:48 PM
To: SciTokens Discussion
Subject: Re: OA4MP, SciTokens, and Log4j Remote Command Execution Vulnerability (CVE-2021-44228)