20/12/2021

Further Update on Log4Shell Vulnerability (CVE-2021-44228)

Following on from the Log4j advisories sent 13/12 and 15/12, Apache has released version 2.17.0 of Log4j after discovering issues with their previous release, 2.16.  

Summary:  

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack. 

Our service partner Jisc are aware latest developments present a significant amount of risk to the sector during this period. As many HE and FE institutions have closed until the new year. Please do not hesitate to reach out for support should you need any assistance. 

Considerations: 

  • log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability. 
  • Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this. 
     

Vulnerable Versions:  

  • Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (Only log4j-core JAR file is impacted) 

Recommendation(s): 

  • Patch to the latest version of log4j 2 release 2.17.0. 
  • Alternatively, this can be mitigated by configuration:  
    • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC). 
    • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input. 

References:  

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

 

Keeping Up To Date With Us Is Easy, Sign Up To Our Newsletter Today!

Stay in touch with emPSN, so that you get the latest e-safety advice and invites to our community events.

Our partners