Skip to main content

Version 1.2 Published 1/4/2021 8:00AM [Added RCE risk for version 2.17 to New Information]

Version 1.1 Published 12/19/2021 4:00PM [Added DDOS risk for version 2.16 to New Information]

Version 1.0 Published 12/17/2021 12:00PM [Initial Publication]

Summary:
The Log4J vulnerability is a critical vulnerability that allows for Remote-Code-Execution on an impacted device.  If any user-controlled input is sent to a vulnerable service, and logged, then that device can be forced to run any arbitrary code as the user of the impacted service.   Typical examples of malicious payload would be keyloggers, rootkits, and ransomware.  Because this library is present in many commercial and home-grown applications it is critical to review ALL IT assets for this vulnerability.  As new versions of these exploits are discovered, the mitigations and list of impacted products are constantly changed, so IT staff must monitor and adapt to the changing threat landscape.

What should you be doing:

  • Search ALL systems under your control for the presence of the Log4J libraries
  • Look for vulnerable products from ALL IT vendors you use
    • The Log4J library is widely distributed and can be embedded in unexpected places.  Even ILO tools on server hardware runs a webserver and can contain the issue.  It is also present in a number of commercial software packages.  We have found it in our backup software, and even some science software.
    • Where found, results should be reported on this WebForm: https://go.rutgers.edu/Log4JExpInv
  • Look for Vulnerable Products from hosted cloud solutions
    • While not hosted on campus, these systems still represent risk to the University and must be evaluated.
    • Where found, results should be reported on this WebForm: https://go.rutgers.edu/Log4JExpInv
  • Continue to monitor the Log4J Security Page and Vendor patches for updates
    • This situation is rapidly evolving, so its important to keep checking for new information.  EI has already had to re-patch many systems.

New Information:

Version 2.17 (And 2.12.3 for Java 7) and below, are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.  This does not impact version 1.x. However, other critical vulnerabilities impact this version and should be mitigated. Version 2.17.1 (and 2.12.4 for Java 7) have been released to address this new flaw.

Version 2.16 (and 2.12.2 for Java 7) was found to be susceptible to uncontrolled recursion to self-referential lookups.  This would allow an attacker to crash a running application as a form of denial of service.  Version 2.17 (And 2.12.3 for Java 7) have been released to address the new flaws.  The Log4J Security Page lists some possible mitigations, but upgrading is the preferred full mitigation.

Note: Previous workarounds involving configuration changes to affected versions are no longer sufficient.

Helpful links:

Decision tree EI used on its own systems:

 

Search Scripts

CentOS Script
Windows Script