What is CVE-2021-44228?
CVE-2021-44228 is a remote code execution vulnerability that is affecting multiple versions of the Apache Log4j 2 library. This vulnerability is being actively exploited in the wild with a number of instances being reported. Even when remote code execution exploitation is not possible it is often possible to extract sensitive information from environment variables via a DNS request.
It is important to note that Log4J is included in a number of enterprise products so you may be affected even if you do not believe you run Java within your enterprise. A huge variety of systems are affected by this issue, the complete list of affected products is currently unknown.
CheckScan+ Scanner Detections
If you are a CheckScan+ customer, the good news is your regular scans will have already picked up this vulnerability, and over the weekend (11th and 12th ) CheckScan+ has been closely monitoring public attack vectors and has released a comprehensive detection that is available to all clients across all scans and profiles. We have also added a specific template to run a quick check for this CVE.
Current features include:
- Detection via HTTP servers and intermediaries by injecting into parameters, paths and headers.
- Payload obfuscation to evade some flawed filters deployed via Web Application Firewalls and Cloud Security solutions.
- Multiple protocol handler support; dns, rmi and ldap by default.
- Detection via Web Application Scanning and Infrastructure scanning.
The support team are on hand for any queries but please appreciate we anticipate high volumes of requests regarding this vulnerability so response times may be slower than usual.
New vulnerability CVE-2021-45046, suggests that the initial patch was not sufficient so 2.15.0 is still vulnerable in some scenarios. The information here states that: ‘It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.’ and that previous mitigation such as setting `log4j2.noFormatMsgLookup` to `true` are ineffective. It is recommended to update to 2.16.0.
For further information, please email us at: [email protected]