runZero can help you build an up-to-date asset inventory and search for assets that may be affected by Log4J vulnerabilities, such as Log4shell. runZero is not a vulnerability scanner, but you can share runZero’s results with your security team for investigation and mitigation.

What is Log4j? #

Internet discussion was abuzz on December 9th about an 0-day vulnerability that can yield remote code execution (RCE) in Apache’s popular Log4J logging library for Java. This particular vulnerability — tracked as CVE-2021-44228 with the maximum “critical” CVSS score of 10 — resides in Log4J’s lookup capability, combined with JNDI (Java Naming and Directory Interface). This issue is widespread because many developers were unaware that Log4J was dangerous to use with unfiltered input.

The most significant impact is that an attacker can cause a string to reach the logger, that when processed by Log4J, executes arbitrary code. The first examples of this used the ${jndi:ldap} path, which could lead to arbitrary code being loaded from a remote URL. This path is partially mitigated by the use of newer Java runtimes that block the URL-based class loader by default. Unfortunately, a modern version of Java may not be enough to prevent exploitation, as the application itself may expose classes that can be used to run arbitrary code.

While Apache released fixes to CVE-2021-44228 in Log4J version 2.15.0, it was discovered these fixes were “incomplete in certain non-default configurations”, allowing for exploitation in certain circumstances (tracked as CVE-2021-45046 (with a “critical” CVSS core of 9.0), leading to a Log4J 2.16.0 release to address CVE-2021-45046.

Following that release, a new vulnerability was raised which can yield a denial-of-service attack via infinite recursion. Tracked as CVE-2021-45105 (and with a “high” CVSS score of 7.5), this vulnerability appeared to affect Log4J versions 2.8 through the most recent 2.16.0 release, and was fixed in versions 2.17.0 (for Java 8) and 2.12.3 (for Java 7).

Then on December 28th, security researchers at Checkmarx published findings of another RCE present in Log4J 2.17.0, one which requires the attacker have permissions to update the logging configuration and, when successful, can yield RCE. Tracked as CVE-2021-44832 (and with a “medium” CVSS score of 6.6), Apache released a fix for this latest vulnerability in Log4J versions 2.17.1 (for Java 8 and later), 2.12.4 (for Java 7), and 2.3.2 (for Java 6).

Impact of Log4J vulnerabilities #

The broad popularity of Log4J–coupled with the relative ease of exploiting this vulnerability–creates potential conditions for far-reaching exploitation (similar to Shellshock).

Google’s security team have scanned the contents of Maven Central and found over 35,000 affected packages, amounting to over 8% of those in the repository. Any application making use of the affected packages as dependencies may be vulnerable.

Affected applications include Elastic Search, Elastic LogStash, GrayLog2, Minecraft (client and server), Neo4J, many Apache projects (Druid, Dubbo, Flink, Flume, Hadoop, Kafka, Solr, Spark, Struts, Tapestry, Wicket), many VMware products (Horizon, vCenter, vRealize, HCX, NSX-T, UAG, Tanzu), Grails, and dozens if not hundreds of others. Log4J versions since 2.0 are reported to contain this vulnerability, which was originally disclosed to Apache several weeks ago by the security team at Alibaba Cloud.

How to stay on top of Log4Shell #

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently created a repo for tracking products/applications affected by Log4Shell, which will likely become the most reliable, long-term source-of-truth.

Note: runZero components–cloud platform, self-hosted, explorer, and CLI scanner–are not affected by this issue.

Patching and remediating vulnerable Log4J instances will continue to be an ongoing effort. Recently, an advanced persistent threat (APT) group has been observed installing rootkits in Windows systems vulnerable to Log4Shell. In fact, even some recent Log4J patching efforts themselves have led to other problems.

Government entities, such as CISA and the FTC, have reinforced the importance of patching, along with leveraging fines against businesses failing to take action. While it has been a long-haul response effort, the importance of remediating software and systems vulnerable to Log4Shell remains clear.

How to mitigate Log4J vulnerabilities #

Patches were made available to prevent code execution Log4J version 2.15.0, but these patches did not disable inline message lookup, which can expose things like environment variables and system configuration settings to an attacker that can observe the generated logs. Additional patches were made available in Log4J version 2.16.0 to make JNDI lookups disabled by default, limited to certain protocols, and only localhost allowed by default. Further patches have been made in Log4J version 2.17.0 to protect from uncontrolled recursion via self-referential lookups, along with additional patches in Log4J version 2.17.1 for limiting JNDI data source names to the java protocol.

For mitigations that folks can take immediately, Apache has offered some guidance.

Note: Initially it was thought that the problem could be mitigated by setting log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS. Apache have now clarified that those mitigation strategies are insufficient.

Mitigating these issues requires one of the following actions:

$ zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
  • Overriding the org.apache.logging.log4j.core.lookup.JndiLookup class by making appropriate changes to your classloader configuration:

It is worth noting that an updated version of the Java runtime is not a sufficient mitigation. Newer versions of Java block the URL class loader by default, but can still be abused to leak secrets from the environment, and deserialization attacks may still succeed using classes already loaded by the process.

How to find applications that use Log4J with runZero #

Identifying every application, device, and service using the Log4J library is going to be an ongoing effort for security professionals. We will continue updating this post and our pre-built queries as more information becomes available.

The following query can be used to identify applications that are likely to be affected by this issue:

product:atlassian or product:avaya or product:coldfusion or product:coyote or product:cpanel or product:druid or product:"elastic search" or product:"epolicy orchestrator" or product:flink or product:graylog or product:hadoop or product:horizon or product:imc or product:jamf or product:jboss or product:jetty or (product:"kerio connect" and protocol:http) or product:logstash or product:metabase or product:minecraft or product:mongodb or product:neo4j or product:openfire or product:pega or product:recoverpoint or product:resin or product:rundeck or product:symantec or product:sonicwall or product:solarwinds or product:sophos or product:splunk or product:tableau or product:tomcat or product:="ubiquiti unifi" or product:"vmware horizon" or product:"vmware vcenter" or product:"vmware vrealize" or product:"vmware site recovery" or product:vmanage or product:wowza or hw:netapp or hw:imc or hw:"ucs manager" or hw:"crosswork son appliance" or hw:"site recovery manager" or hw:sonicwall or tcp_port:8983 or tcp_port:9092 or tcp_port:7077 or tcp_port:5347 or protocol:cassandra or protocol:elasticsearch
Log4J

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries. Self-hosted customers may copy the query above, or use the Export System Queries option to download an importable query set from the cloud console.

Scan with runZero to help with Log4J #

Get runZero free for 21 days. Build your asset inventory and identify apps using Log4J–in minutes.

Start your trial

Acknowledgements #


Affected products and services #

ABB #

Adobe #

Akamai #

Amazon #

Apache #

APC #

Apereo #

  • CAS — Versions affected: 6.3.X & 6.4.X
  • Opencast — Versions affected: < 9.10, < 10.6

Appeon #

  • PowerBuilder — Versions affected: Appeon PowerBuilder 2017-2021 regardless of product edition

Aptible #

  • Aptible — Versions affected: ElasticSearch 5.X

Arista #

CloudVision

Cognitive Wi-Fi

DANZ Monitoring Fabric

Ascertia #

Atlassian #

  • Atlassian Products — Self-hosted if configured with log4j.
  • Bamboo — Self-hosted if configured with log4j.
  • Confluence — Self-hosted if configured with log4j.
  • Crowd — Self-hosted if configured with log4j.
  • Cruicible — Self-hosted if configured with log4j.
  • Fisheye — Self-hosted if configured with log4j.
  • Jira — Self-hosted if configured with log4j.

Avaya #

The current list can be found in the advisory. Some products are still under investigation.

BeyondTrust #

BMC Software #

The current list can be found in the advisory.

  • Bladelogic Database Automation
  • BMC AMI Ops Common Rest API (CRA)
  • BMC AMI Ops Infrastructure (MVI)
  • BMC AMI Ops Insight
  • BMC AMI Ops UI
  • BMC Client Management
  • BMC Discovery
  • BMC Helix Continuous Optimization
  • BMC License Usage Collection Utility
  • CMDB
  • Control-M
  • Helix Data Manager
  • MainView Middleware Monitor
  • Remedy Smart Reporting
  • Sentry Storage All-in-One ETL
  • Sentry Storage Analyzer KM
  • Sybase KM
  • TrueSight App Visibility Manager
  • TrueSight Automation Console
  • TrueSight Automation for Networks
  • TrueSight Automation for Servers
  • TrueSight Infrastructure Management
  • TrueSight IT Data Analytics
  • TrueSight Operations Management
  • TrueSight Smart Reporting
  • TSOM Smart Reporting

Brainworks #

  • Kerio Connect — version <9.4 is affected by the vulnerability CVE-2021-44228.

Broadcom (CA, Symantec) #

The current list can be found in the advisory.

CaseWare #

  • Cloud — Versions affected: unknown

CIS-CAT #

CIS-CAT #

Cisco #

The current list can be found in the advisory. Many other products are still under investigation.

Cisco Cloud Hosted Services

Collaboration and Social Media

Network and Content Security Devices

Network Management and Provisioning

Routing and Switching - Enterprise and Service Provider

Unified Computing

Video, Streaming, TelePresence, and Transcoding Devices

Voice and Unified Communications Devices

Other

Cloudera #

Cloudogu #

Commvault #

Confluent #

Decos #

Dell #

EMC

Other

Dell #

Other

Eaton #

Elastic #

Elastic has confirmed the vulnerability, but believes their mitigations make it difficult to exploit.

EVL Labs #

  • JGAAP — Versions affected: < 8.0.2

Ewon #

  • eCatcher — Versions affected: < 6.7.8

ExtraHop #

  • Reveal(x) — Versions affected: <=8.4.6, <=8.5.3, <=8.6.4

F-Secure #

F5 #

  • Traffix SDC — Versions 5.2.0 CF1 and 5.1.0 CF-30 - 5.1.0 CF-33 affected, other F5 products themselves are not vulnerable. F5 published guidance on mitigating through BIG-IP ASM/Advanced WAF and NGINX App Protect

Filecloud #

  • Filecloud — FileCloud uses Apache Solr which in turn uses the log4j library.

ForgeRock #

Fortinet #

Github #

Google Cloud #

See Google Cloud Log4j security advisory.

Gradle #

GuardedBox #

HCL #

See the KB entries matching CVE-2021-44228 for additional details.

HPE #

HPE #

Huawei #

IBM #

Analytics

Data Management

Spectrum

Sterling

WebSphere

Other

Informatica #

Informatica state that their cloud remediation is complete, and have an advisory listing vulnerable on-premises products.

Intel #

Intland #

  • codebeamer — Versions affected: <= 20.11-SP11, <= 21.09-SP3

Ivanti #

  • Avalache — Versions affected: 6.3.0, 6.3.1, 6.3.2, 6.3.3

Juniper #

Cloud Services

Paragon Automation

Security

Other

Kronos #

Lenovo #

Networking Switches

Software

Software

Storage

ThinkAgile

ThinkStation

ThinkSystem

Lightbend #

LOGalyze #

McAfee #

Microfocus #

CyberRes

Microsoft #

Mimecast #

  • Mimecast — Affected services have been patched.

MobileIron #

Mulesoft #

NetApp #

New Relic #

Nutanix #

  • AOS STS — Affected, patched in v6.0.2.4
  • File Analytics — Affected versions: 2.1.x, 2.2.x, 3.0+. Mitigation steps available for 2.1.x, 2.2.x, download available in 3.0.1.
  • Karbon — All versions affected, mitigation steps available.
  • Mine — All versions affected, mitigation steps available.
  • Objects — All versions affected, mitigation steps available.
  • SaaS-based Products — Most affected products have been patched, WAF mitigations in place.
  • Witness VM — All versions affected, mitigation steps available.

Okta #

OneSpan #

Digipass authentication products

On-premises server products

Oracle #

  • Enterprise Manager — Affected versions: 13.3.2, 13.4, & 13.5. Note that Oracle has currently restricted access to vulnerable product info, this info is from the CISA.
  • Exadata — Affected versions: < 21.3.4. Note that Oracle has currently restricted access to vulnerable product info, this info is from the CISA.

OVHcloud #

OxygenXML #

Palo-Alto Networks #

Ping Identity #

Polycom #

PortEx #

  • Portex — Versions affected: <3.0.2

Positive Technologies #

Progress #

PTV Group #

Software Solutions for Traffic & Mobility

PureStorage #

  • FlashArray — Affected versions: Purity//FA 5.3.x, Purity//FA 6.0.x, Purity//FA 6.1.x, Purity//FA 6.2.x
  • FlashBlade — Affected versions: Purity//FB 3.0.x, Purity//FB 3.1.x, Purity//FB 3.2.x, Purity//FB 3.3.x
  • Portworx — Affected versions: 2.8.0+ with telemetry enabled
  • Pure Cloud Block Store — Affected versions: 6.1.xPAZ, 6.1.xPAWS, 6.2.xPAZ, 6.2.xPAWS
  • Pure VMA Collector — Affected versions: v3.x

Qlik #

QMATIC #

Rapid7 #

Real-Time Innovations (RTI) #

Redhat #

Cloud Computing

  • OpenShift 3.11 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenShift 4 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenShift Logging — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.
  • OpenStack Platform 13 — This issue has been assigned CVE-2021-44228 and rated with a severity impact of Critical.

Cloud Computing/Runtimes

Integration & Automation

Runtimes

Other

Redis #

  • Jedis — Versions affected: 3.7.1, 4.0.0-rc2

Revenera #

Rockwell Automation #

Ruckus #

SBT #

  • SBT — Versions affected: < 1.5.6

Schneider Electric #

  • EASYFIT — Versions affected: Current software and earlier
  • Ecoreal XL — Versions affected: Current software and earlier
  • Eurotherm Data Reviewer — Versions affected: V3.0.2 and prior
  • MSE — Versions affected: Current software and earlier
  • NetBotz750/755 — Versions affected: Software versions 5.0 through 5.3.0
  • NEW630 — Versions affected: Current software and earlier
  • SDK BOM — Versions affected: Current software and earlier
  • SDK-Docgen — Versions affected: Current software and earlier
  • SDK-TNC — Versions affected: Current software and earlier
  • SDK-UMS — Versions affected: Current software and earlier
  • SDK3D2DRenderer — Versions affected: Current software and earlier
  • SDK3D360Widget — Versions affected: Current software and earlier
  • Select and Config DATA — Versions affected: Current software and earlier
  • SNC-API — Versions affected: Current software and earlier
  • SNC-CMM — Versions affected: Current software and earlier
  • SNCSEMTECH — Versions affected: Current software and earlier
  • SPIMV3 — Versions affected: Current software and earlier
  • SWBEditor — Versions affected: Current software and earlier
  • SWBEngine — Versions affected: Current software and earlier

Siemens #

SolarWinds #

Soliton Systems #

SonicWall #

  • Email Security — ES 10.0.11 and earlier versions are affected.
  • NSM — Affected.
  • WAF — Version 3.x with Cloud Management enabled is affected.

Splunk #

Stardog #

  • Stardog — Versions affected: <7.8.1

Stratodesk #

  • NoTouch — Versions affected: 4.5.231

SwingSet #

  • SwingSet — Versions affected: < 4.0.6

TeamViewer #

Tesorion #

Tibco #

Controllers

Hardware Controllers

Hardware Controllers

TrendMicro #

Ubiquiti #

USoft #

  • USoft — Versions affected: 9.1 (unverified)

VMware #

The current list can be found in the advisory.

WatchGuard #

Wibu Systems #

WitFoo #

Zeiss #

Zendesk #

Other #

Potentially affected products #

  • Blackberry may be affected.
  • Citrix is still investigating many products.
  • Dell is still investigating.
  • Huawei is still investigating.
  • Kaseya is still investigating.
  • Oracle currently requires a support account to see affected products.
  • TrendMicro is still investigating.


Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find Go SSH servers on your network
How to discover Go SSH instances on your network that may be vulnerable to CVE-2024-45337
Rapid Response
How to find Cleo Harmony, LexiCom, and VLTransfer installations on your network
Cleo Software has disclosed CVE-2024-50623 affecting installations of Cleo Harmony, VLTransfer, and LexiCom on your network. Here's how to find...
Rapid Response
How to find Cisco NX-OS assets on your network
Cisco has released an advisory for a vulnerability found within their NX-OS software. Here's how to find affected assets.
Rapid Response
How to find Citrix Virtual Apps and Desktops software on your network
Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved