News broke out on Thursday, December 9th as Log4j, the most utilized open-source logging system in the world, displayed clear evidence of a critical vulnerability affecting large companies all over the world, including Apple, Amazon, Cloudflare, Steam, Tesla, Twitter, and Baidu.

According to Microsoft Security Response Team, the Apache Log4j 0-day vulnerability allows unauthenticated remote code execution and is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the Log4j 2 vulnerable component. Attacks have already taken place less than a day after its reporting, and Netlab, the networking security division of Chinese tech giant Qihoo 360, disclosed that Attackers like Mirai and Muhstik (aka Tsunami) are still actively looking for vulnerable servers to exploit.

Currently, this vulnerability, also known as CVE-2021-44228 currently holds a risk matrix base score of 10, the highest risk possible according to Oracle advisory, and has been labeled by GitHub advisory as a critical severity level.

 

Have I been affected?

To determine if your application has been affected by this vulnerability:

  • Determine your current Log4j version and update. All versions prior to 2.16.0 have been affected. This is recommended as it was found that, Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This vulnerability called, “CVE-2021-45046” made the previous version susceptible to attacks. As such, Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

 

  • Determine your current Java version and update. All versions lower than the ones below are vulnerable:
    • Java 6 – 6u212
    • Java 7 – 7u202
    • Java 8 – 8u192
    • Java 11 – 11.0.2

If the application has both Java & Log4j issues, then according to Certnz advisory it is certainly been affected. However, you can still check your domain vulnerability by using open-source testing tools, like GitHub – log4shell-tester.

 

Log4j Solution?

 Download Log4j version 2.16.0 (If you are unable to upgrade, follow the steps below):

  • Behavior can be mitigated by either setting system property formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
  • If using version >=2.0-beta9and <=2.10.0, remove log4j’s JndiLookup class from Java’s classpath as under: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

 

How AppScan can help

HCL AppScan can help developers scan for log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046 with its Open-Source analysis (OSA) or Dynamic Application Security Testing (DAST) capabilities in our cloud-based application security testing solution AppScan on Cloud.

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s OSA capability

Learn how to scan for vulnerability Log4j with HCL AppScan on Cloud’s DAST capability 

 

What is AppScan on Cloud (ASoC)?

ASoC offers an unparalleled suite of comprehensive security testing tools available on the cloud, including SAST, DAST, IAST, and OSA. Enabling organizations to address vulnerability earlier in the Software Development Life Cycle (SDLC), reducing false positives, fixing code as it’s written and yielding advanced correlation to deliver more accurate results empowering organizations to deliver secure & compliant software faster and at scale.

 

For a free demonstration of AppScan’s OSA tool and our suite of security testing tools, including SAST, DAST, IAST for web, and open-source applications. Click here.

For additional information on Log4j vulnerability in HCL  AppScan’s deployment platforms, please see AppScan technote.

Comment wrap
Further Reading
article-img
HCL Software, Secure DevOps | January 11, 2022
2022 Robservations on Application Security
2021 exploited multiple major topics, and not just in the information security sector. Learn how last years vulnerabilities are beginning to dictate cybersecurity's position in all industries as we step into 2022. 
article-img
HCL Software, Secure DevOps | October 25, 2021
HCL AppScan Standard Re-Imagined
HCL AppScan Standard is evolving, offering a better user experience, new features, and the same exceptional DAST scanning engine.
article-img
Secure DevOps | August 6, 2021
Secure your Mobile Applications with AppScan’s SAST Capabilities
AppScan’s breadth of language support (including mobile) in SAST and new offering of IAST security testing provides better coverage for the entire solution whether the client is running their application on a browser, desktop, or mobile OS
Close