Log4Shell es una vulnerabilidad de alta gravedad (CVE-2021-44228, CVSSv3 10.0) que afecta a varias versiones de la utilidad Apache Log4j 2. Se reveló públicamente a través del GitHub del proyecto el 9 de diciembre de 2021. Esta vulnerabilidad, que fue descubierta por Chen Zhaojun del Alibaba Cloud Security Team, afecta a las versiones 2.0 a 2.14.1 de Apache Log4j 2. La v ulnerabilidad permite la ejecución remota de código no autenticado. Log4j 2 se usa ampliamente en muchas aplicaciones empresariales, así como numerosos servicios en la nube.
Comentarios
El artículo incluye otras de las mitigaciones no contempladas en
CCN-CERT AL 09/21 Vulnerabilidad en Apache Log4j 2 [Recomendaciones]
CCN-CERT AL 09/21 Vulnerabilidad en Apache Log4j 2...
ccn-cert.cni.escomo estas:
For those who cannot upgrade to 2.15.0:
-In releases >=2.10, this vulnerability can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
-For releases from 2.0-beta9 to 2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
If patching is not possible, it is highly advised organizations apply the temporary mitigation below and monitor impacted applications closely for anomalous behavior.
To mitigate the vulnerability in place of updating Log4 2j, the following parameter should be set to true when starting the Java Virtual Machine:
log4j2.formatMsgNoLookups;
The presence of JAR files belonging to the log4j library can indicate an application is potentially susceptible to CVE-2021-44228. The specific files to search for should match the following following pattern:
log4j-core-*.jar;
Depending on the installation method, the location of the matching JAR file may also give indications as to which application is potentially vulnerable. For example, on Windows, if the file is located in C:Program FilesApplicationNamelog4j-core-version.jar it indicates ApplicationName should be investigated. On Linux, the lsof utility can show which processes currently have the JAR file in use and can be run via the following syntax:
lsof /path/to/log4j-core-version.jar;
Currently, detection guidance in the form of regular expression signatures in the public space appear to be overly broad and bypasses have surfaced to circumvent them.