Log4j Vulnerability - What do you need to know?

  • 11 December 2021
  • 32 comments
  • 18155 views

Userlevel 7
Badge +8

Hi Everyone,

 

Vulnerabilities wait for no-one, so whilst some are enjoying a weekend off, others are patching to protect against the latest risk. Log4j.

 

This post has two objectives. Firstly I’m sharing my write up regarding the issues I’m aware DO have an impact to VMware, secondly what does this mean to the Veeam products…

 

First up: VMware

I don’t often dedicate a blog post to a particular security vulnerability, but since it has scored a perfect 10 CVE rating, it’s important to be aware ASAP.

VMware have identified multiple products that utilise the Apache technology that are vulnerable to the Log4j vulnerability.

 

What is this “Log4j” vulnerability?

A Remote Code Execution (RCE) has been discovered in Apache’s Log4j Java Library. It is possible to insert maliciously crafted strings into fields that will be logged, which then leverages the “message lookup substitution” function of Log4j to execute code. This can be used to deploy and execute payloads, or execute commands at a heightened privilege level.

This is trivial to reproduce now the vulnerability has been confirmed to exist, hence the high score. This vulnerability isn’t exclusive to VMware.

 

What can I do?

Firstly, keep an eye on this VMware page for the latest updates and patch your systems as updates become available. It’s also a good idea to firewall your systems to prevent unauthorised access to limit any attack footprint. But restricting the footprint is of no substitute for a patch.

Finally, if you’re one of those people living on the edge with an externally accessible vCenter, odds are good you’ve already been compromised, get it off the internet now and check!

 

Second, What about Veeam?

I posted on the Veeam R&D forum this morning regarding Veeam’s vulnerability status regarding this, and thankfully it appears Apache isn’t used by any Veeam product, however the Veeam security team are still investigating.

 

I’ll cross-post any important updates but you can see the thread yourself here.

 

Hopefully Veeam won’t be impacted by this one as it’s honestly one of the scarier vulnerabilities I’ve ever seen due to how widespread this is.

 

Finally, a shout-out to @regnor as he was going to post about this himself if I hadn’t already! More eyes on these topics is always a good thing and I’m sure he’ll follow up with any insights that I’ve missed!

 

—UPDATE—

 

Veeam have confirmed via the R&D forum and via a KB that none of their products are impacted (thanks @Mildur )

https://www.veeam.com/kb4254


32 comments

Userlevel 7
Badge +4

VMSA-2021-0028: Questions & Answers from VMware. vCenter is one of impacted products, but now VMware does not provide the resolutions and workarounds for vCenter.

https://core.vmware.com/vmsa-2021-0028-questions-answers-faq

Userlevel 7
Badge +6

Thanks for posting this in the community @MicoolPaul, and thanks for the shout-out. I don't have much to add 😁

This vulnerability is pretty huge. Like you already said, this does not only affect VMware. Every software project could use Log4j internally and so be vulnerable to this. So better double check every deployed project, especially if they're internet/edge facing. Scans and attacks are already happening.

 

Userlevel 7
Badge +8

Saw this wow major issue. I see VMware has posted workarounds now.

Userlevel 7
Badge +8

Wow, this is a huge vulnerability… 😱😱😱

Userlevel 7
Badge +6

This vulnerability is a lot of headache as for what’s appened with Exchange vulnerability.

Userlevel 7
Badge +3

it’s making lots of noises since friday for us, a poc was published on github in April (chinese language)

https://github.com/nice0e3/log4j_POC

French Cybersecurity Agency are observing attacks in  honeypot infrastructure from Tor too.

Anyway for the veeam part, the answer from Gostev is comfortable:

Veeam R&D Forums Digest - THE WORD FROM GOSTEV

If you're using any software running on Apache and Java, be aware of this critical zero-day vulnerability. Log4j is a ubiquitous logging tool included in almost every Java application, meaning this vulnerability affects literally millions of servers. You can use software dependencies scanner like Syft to determine whether any of your Java apps use an affected version of Log4j. As for Veeam products, while I still need to get the official confirmation from our security team, it's unlikely we're affected because as far as I know we don't use Java in principle. Plus, as it comes to web servers, we're married to Microsoft IIS for our Windows-based apps (VBR/ONE/VSPC) and to nginx for Linux-based (Veeam Backup for AWS/Azure/GCP). The only place I'm aware that uses some Apache components is our SureBackup helper appliance, but that one certainly should not have any traces of Java.

Userlevel 7
Badge +6

https://github.com/Neo23x0/log4shell-detector

This user Florian Roth has released in the past few hours a detector that allows to detect exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228). The detector has been built in such a way as to detect even attempts in which obfuscation techniques have been used. The tool can be used on any Linux host with Python installed and recursively checks the logs in /var/log.

Just sharing!

Userlevel 7
Badge +7

WOW, this issue will have unimaginable effects! For example Apache and Java can suffer from this issue! So many parts of the internet will be affected! 

Userlevel 7
Badge +5

If you use a Cloudian as the capacity tier, they have released a Patch:

[SECURITY] Cloudian HyperStore - Log4j vulnerability CVE-2021-44228 (force.com)

Security patch for CVE-2021-44228 (Log4j vulnerability) (force.com)

Userlevel 7
Badge +5

@MicoolPaul 

Anton has confirmed that the security teams has finished the investigations.

Veeams products are not affected.

 

https://forums.veeam.com/post438363.html#p438363

Userlevel 7
Badge +6

@MicoolPaul

Anton has confirmed that the security teams has finished the investigations.

Veeams products are not affected.

 

https://forums.veeam.com/post438363.html#p438363

VERY GOOD.

Userlevel 7
Badge +4

@MicoolPaul

Anton has confirmed that the security teams has finished the investigations.

Veeams products are not affected.

 

https://forums.veeam.com/post438363.html#p438363

Thanks for your confirmation.:grin:

Userlevel 7
Badge +4

VMware released workaround instructions to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway. Some of my customers applied this workaround.

https://kb.vmware.com/s/article/87081

Userlevel 7
Badge +7

@MicoolPaul

Anton has confirmed that the security teams has finished the investigations.

Veeams products are not affected.

 

https://forums.veeam.com/post438363.html#p438363

Thanks for update, @Mildur ! Great news!

Userlevel 7
Badge +3

Thanks for sharing @MicoolPaul . I saw a lot of vendors are informing on this Vulnerability. Cisco, HPE, VMware and so on… 

Userlevel 7
Badge +5

A KB article is now online:

https://www.veeam.com/kb4254

Userlevel 7
Badge +4

A KB article is now online:

https://www.veeam.com/kb4254

Thanks for your update!:hugging:

Userlevel 7
Badge +4

hi use this script for scan my Winzoz server :D

ScriptsAndAutomationPolicies/get-log4jrcevulnerability.ps1 at master · N-able/ScriptsAndAutomationPolicies · GitHub

 

Anyone can share a good scripts for Nix enviroment?

Thx

Userlevel 7
Badge +6

Unfortunately, there’s a new second CVE that’s need a new patch.

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Userlevel 7
Badge +8

hi use this script for scan my Winzoz server :D

ScriptsAndAutomationPolicies/get-log4jrcevulnerability.ps1 at master · N-able/ScriptsAndAutomationPolicies · GitHub

 

Anyone can share a good scripts for Nix enviroment?

Thx

Very nice script :thumbsup_tone2:

Userlevel 7
Badge +8

Unfortunately, there’s a new second CVE that’s need a new patch.

https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Yes, log4j 2.16.0 is needed now. And who knows if this is the last issue :sunglasses:

Userlevel 7
Badge +7

If interested: Here is a list of all HPE products NOT affected:

https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00120086en_us

Userlevel 3

Red Hat products not affected:
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009

Userlevel 7
Badge +6

:warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:

Nearly full list of whats vendor/products are affected:

https://github.com/NCSC-NL/log4shell/tree/main/software

 :warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning::warning:

Userlevel 3

Link for a Linux script that, amongst other things, checks inside of Java files:
https://github.com/rubo77/log4j_checker_beta

Comment