Bitsight Observes Widespread Apache Log4j 2 Vulnerability Exposure

Update 12/15/2021: Apache issued new fix for the Log4j logging utility, as the previous Log4j patch was deemed as “incomplete in certain non-default configurations.”

This vulnerability, which is being tracked as CVE-2021-45046, is rated 3.7 on the CVSS rating system and affects all versions of Log4j from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0. 

From Apache:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.

It is recommended that users update to version 2.16.0 at this time.

A critical vulnerability that allows for unauthenticated remote code execution has been discovered in Apache Log4j 2, an open source Java logging tool. The Apache Software Foundation has identified the vulnerability as CVE-2021-44228.

“34% of companies we examined had at least one exposed Java-based server. Not all of those use Log4j, but that gives a rough sense of the scale of exposure,” said Ethan Geil, Senior Director, Data and Research. “Starting just after midnight UTC on Dec. 10, Bitsight’s honeypots began to observe scanning activity seeking to trigger the vulnerability. This activity has increased throughout the day, reaching hundreds of requests per hour from 18:00-19:00 UTC. Some of the activity appears to be due to security researchers, but other traffic may be malicious.”

Because Log4j is so common, the exploit requires little skill, and its impact could be high, CVE-2021-44228 has received a maximum severity rating of 10 on the Common Vulnerability Scoring System (CVSS) scale.

Log4j is used in many common frameworks, including Apache Struts, Apache Solr, Apache Druid, and Apache Flink, so it is estimated that millions of applications could be affected. Popular platforms such as iCloud, Minecraft, Steam, and more have been confirmed to be vulnerable at the time of writing—many more are likely to follow in the coming days. 

Some reports have also noted that the Equifax breach of 2017 was also due to an Apache Struts vulnerability. However, this issue is potentially more far reaching, as Log4j is a much more widely used component.

Mitigating CVE-2021-44228

Apache Log4j users on versions from 2.0-beta9 to 2.14.1 should take steps to patch this vulnerability immediately.  

Bitsight users can identify third parties using Java-based servers that may be vulnerable to better understand the scope of impact to their portfolio. This can help prioritize followup and vendor outreach activities.  

Andrew Burton, Ethan Geil, and Pedro Umbelino (a-z) contributed to this article.