Newest Log4j Security Vulnerability – CVE-2021-44228 – Log4Shell
Styra Declarative Authorization Service (DAS), both SaaS and self-hosted, as well as Open Policy Agent (OPA), are not affected by the Log4j security vulnerability.
The newest Apache Log4j Java-based logging utility vulnerability (CVE-2021-44228) was disclosed to Apache by Alibaba’s Cloud Security Team on November, 24 2021 by Chen Zhaojun and published on December, 9 2021. The zero-day arbitrary code execution vulnerability in the Apache Log4j Java logging library affects all Log4j2 versions prior to 2.15.0.
CVE-2021-44228 is being coined “Log4Shell” and is being pushed as “the single biggest, most critical vulnerability of the last decade” because of its very broad use in enterprise systems and web applications. Security teams are working to remediate this vulnerability across their infrastructure as CVE-2021-44228 impacts multiple cloud-native tools. Threat actors have quickly developed tools that automatically attempt to exploit this vulnerability, as well as worms that can spread independently from one vulnerable system to another.
Log4j impact on manufacturers and components summary: https://github.com/YfryTchsGD/Log4jAttackSurface
How it works
1. Trigger: Single string of text
2. Action: Application reaches out to an external location (only if it’s logged via the vulnerable instance of Log4j)
3. Action: Initiate special text in an HTTP User-Agent header or a simple POST form request
4. Action: Log4j vulnerability parses this and reaches out via Java Naming and Directory Interface (JNDI)
5. Action: Resource acts as a launch-pad to another attacker-controlled endpoint, which serves Java code to be executed on the original victim
This is an extremely inconsequential attack vector for threat actors, making it easy to create tools that automatically attempt to exploit this vulnerability. Ultimately, this grants a threat actor or tool the opportunity to run any code on the target.
Recommendations
If your organization uses the Log4j library, you should upgrade to log4j-2.15.0.rc2 immediately: https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc2
Work with your vendors to utilize any patches that are coming out for CVE-2021-44228
Utilize Florian Roth’s grep commands and YARA rules for detection: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
Impact to Styra Customers
Styra Declarative Authorization Service (DAS), both SaaS and self-hosted, is not affected by the Log4j security vulnerability – CVE-2021-44228. Styra DAS is a Golang-based application and thus doesn’t use the Log4j library. However, Styra DAS does utilize Elasticsearch where there is a reported Remote Code Execution (RCE) vulnerability (ESA-2021-31). Styra customers do not have direct access to the Elasticsearch pods for Styra DAS and there is no direct access to the Elasticsearch logs or Elasticsearch APIs. However, it is Styra’s recommendation that self-hosted Styra DAS customers upgrade Elasticsearch to 7.16.1 or set the JVM option to Dlog4j2.formatMsgNoLookups=true to avoid any possibility of exploitation (it is good to note that there should be no space after “=” or the logic will run as false). SaaS customers do not need to take any action.
Open Policy Agent is also not affected by the Log4j security vulnerability. OPA is a Golang-based application and doesn’t use Log4j.
As always if you have any questions or concerns please feel free to contact us.