Get the podcast on Apple Podcasts
×

DanielMiessler

search
Login Become a Member Subscribe

The Subsequent Waves of log4j Vulnerabilities Aren’t as Bad as People Think

Attacks against 2.15 and the CLI fix require a non-standard logging config


Created/Updated: December 20, 2021

log4j non default

If you’re reading this you’re underslept and over-caffeinated due to log4j. Thank you for your service.

I have some good news.

I know a super-smart guy named d0nut who figured something out like 3 days ago that very few people know.

Once you have 2.15 applied—or the CLI implementation to disable lookups—you actually need a non-default log4j2.properties configuration to still be vulnerable!

Read that again.

The bypasses of 2.15 and the NoLookups CLI change don’t affect people unless they have non-default logging configurations. From the Apache advisory:

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern.

Apache Project Security Advisory

“Certain non-default configurations”. I’ve never heard a sweeter set of syllables.

These can also be set in log4j2.xml or programatically.

So you need to have changed your configs to include patterns like:

$${ctx:loginId}
${ctx
${event
${env

The UL Newsletter: Finding the Patterns in the Noise…
Get a weekly analysis of what's happening in security and tech—and why it matters.

…etc to be vulnerable to a 2.15 patch level or a log4j2.formatMsgNoLookups or LOG4J_FORMAT_MSG_NO_LOOKUPS = true bypass!

That’s huge! And Nate figured this out like 4 days ago!

He mentioned to me multiple times this wasn’t as bad as people thought, but he wasn’t shouting from the rooftops so I didn’t listen well enough. Shame on me.

He also happens to have a strong meme game.

Summary

  1. The first vuln was just as bad as everyone thinks it is. Or worse. It did not require this non-default logging configuration.
  2. But if you are patched to 2.15, or mitigated with the NoLookup config, you are no longer vulnerable unless you ALSO have a logging config option set in your log4j2.properties file that re-enables them.
  3. So, if you’re already patched to 2.15 and/or have the mitigation in place, and don’t have non-standard configs—which you should confirm—you might be able to sleep for a bit.
  4. And of course of course—keep in mind that this all only pertains to vulnerabilities we know about today. And the internet moves fast.
  5. Finally, d0nut is awesome and you should follow his work.

Notes

  1. This also applies to the DoS that 2.17 addresses.
  2. Thanks to Nate for the great find!

Written By Daniel Miessler in Information Security

Daniel Miessler is a cybersecurity leader, writer, and founder of Unsupervised Learning. He writes about security, tech, and society and has been featured in the New York Times, WSJ, and the BBC.


Join the Unsupervised Learning Community
The premier networking community for smart and curious people interested in security, technology, and society.

I read 20+ hours a week about security, tech, and society to find the patterns that help you stay ahead. Add your best email to get the update every Monday……
Access to the UL Slack Community
Exclusive Member-Only Content
Access to the UL Book Club
Full Podcast Feed Access
Show Archive Access
Book Summaries with Analysis
Public Essays, tutorials, and analysis
Public newsletters
Subscribe

DanielMiessler
© Daniel Miessler 1999-2022


Finding the Patterns in the Noise
I read 20+ hours a week about security, tech, and society to find the patterns in the noise that keep you three steps ahead…