Update: Prisma Cloud Addresses Log4Shell: CVE-2021-44228, CVE-2021-45046 Mitigations

This post is also available in: 日本語 (Japanese)

On December 9, 2021, a remote code execution vulnerability in the popular Java package Apache Log4j 2 was publicly disclosed. Since the abrupt release of the vulnerability, numerous exploits had been publicly shared and attackers made use of the opportunity to attack instances in the wild. The vulnerability had been dubbed “Log4Shell.”

Log4j is a logging framework designed to be used by any Java application. Due to its nature, it has been used in various Java programs from web servers to video games, all affected by this issue. We analysed this vulnerability and determined that it is of the highest severity possible, with a score of 10 in CVSS 3.1. The vulnerability was abruptly released, and the ease of exploitation and such a severe impact of remote code execution makes it an “ideal” vulnerability for mass exploitation by attackers. Due to the widespread use of log4j, the severity of the vulnerability and its ease of exploitation, the vulnerability had been compared to Shellshock which made a serious impact on internet security a few years ago.

We strongly recommend that users of this package upgrade it to the latest, fixed version, 2.16.0. To read more about the full details of vulnerability, its exploitation and risks please refer to our Unit 42 analysis.

The good news is that Prisma Cloud users can easily detect software components affected by this vulnerability. The Prisma Cloud Intelligence Stream (IS) automatically updates to include the vulnerability information from official vendor feeds. Prisma Cloud reflects any update or analysis by Linux distribution and application maintainers. This allows Prisma Cloud to accurately detect any affected images and hosts based on the most up-to-date information.

In addition, the Prisma Cloud research team also analyzed this vulnerability internally and published a Pre-Filled CVE for this issue. CVE-2021-44228 has blown up quickly, and some vendors are still analyzing it to determine affected versions and packages. The Intelligence Stream will continue to update as vendors release vulnerability information, but thanks to our analysis the vulnerability will be detected in all affected packages immediately.

Users can search for the CVE in Vulnerability Explorer where Defender agents are deployed.

Figure 1. CVE-2021-44228 search results in Vulnerability Explorer
Figure 1. CVE-2021-44228 search results in Vulnerability Explorer

The below screenshot is an example of container image details where CVE 2021-44228 is shown as Critical.

Figure 2. CVE-2021-44228 detected in Prisma Cloud
Figure 2. CVE-2021-44228 detected in Prisma Cloud

Update 1: On December 13, our research team determined that Log4j 1.x releases may be affected by a similar vulnerability. This vulnerability has been assigned CVE-2021-4104. Log4j 1.x is at end of life status since August 2015, and will not be fixed. The Intelligence Stream has been updated with this CVE and vulnerable 1.x instances are detected in Prisma Cloud.

Update 2: On December 14, it was discovered that the fix released in Log4j 2.15.0 was insufficient. CVE-2021-45046 was assigned for the new vulnerability discovered. Per our preliminary analysis, the impact of this vulnerability is Denial of Service (DoS) but not full remote code execution. The Intelligence Stream has been updated with a Pre-Filled CVE entry for CVE-2021-45046, and Prisma Cloud customers can detect this vulnerability. Previous mitigations suggested by configuring Log4J are not helpful in remediating this new vulnerability.

The risk can only be fully remediated by upgrading to Log4J 2.16.0.

Update 3: On December 15, a refined WAAS rule with improved coverage of obfuscated exploits had been released. WAAS users are encouraged to use the updated rule (also provided below).

Update 4: On December 18, a new vulnerability was discovered in Log4j through 2.16.0, assigned with CVE-2021-45105. Also it is not a variant of the original CVE-2021-44228, it has a similar attack vector, abusing attacker-controlled lookups in logged data. The impact of this vulnerability is Denial of Service (DoS). The Intelligence Stream has been updated with a Pre-Filled CVE entry for CVE-2021-45105, and Prisma Cloud customers can detect this vulnerability.

The risk can only be fully remediated by upgrading to Log4J 2.17.0, 2.12.3 (for Java 7) or 2.3.1 (for Java 6).

Another mitigation strategy suggested in the Log4j security notes is to change the configuration as follows:

  • In PatternLayout in the logging configuration, replace Context Lookups like ${ctx:loginId} or $${ctx:loginId} with Thread Context Map patterns (%X, %mdc, or %MDC).
  • Otherwise, in the configuration, remove references to Context Lookups like ${ctx:loginId} or $${ctx:loginId} where they originate from sources external to the application such as HTTP headers or user input.

 

Update 5: On Decembe