Security

Cybersecurity Threat Advisory 0083-21: Second Log4j Vulnerability Patch Released

THREAT UPDATE

Over this past week, several organizations are releasing security updates to address the Apache Log4j zero-day vulnerability being exploited in the wild. Although Apache released an initial patch for the exploit, it was deemed incomplete due to a lack of security for non-default configurations. In response, Apache has released a second patch, Log4j 2.16.0, which is designed to mitigate the vulnerability entirely.

Technical detail and additional information

WHAT IS THE THREAT?

As we know, a significant Log4j Remote Code Execution (RCE) vulnerability has had a patch released and tracked as CVE-2021-44228. However, the patch was not entirely effective at mitigating the risk due to CVE-2021-45046, the lack of completion in some non-default configurations. The latest patch, Log4j 2.16.0, removes support for message lookup patterns and disables JNDI functionality by default all together. While CVE-2021-44228 simply disabled the ability to control log messages or log message parameters to execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Furthermore, for prior releases (<2.16.0) this issue can also be mitigated by removing the JndiLookup class from the classpath.

WHY IS IT NOTEWORTHY?

Log4j is practically omnipresent in the world of websites and all things Java. It was used to log information for the web applications developers created in efforts to aid with debugging and for other tracking purposes. LDAP, RMI and other JNDI endpoints can be used as avenues to execute arbitrary code from a threat actor utilizing the Log4j vulnerability. Many malicious actors and threat groups are using this vulnerability to gain unauthorized access. Many believe due to the magnitude of the vulnerability the detections confirmed will continue to grow and mitigation will be a slower than usual process. Furthermore, NIST has given this vulnerability a base score of 10, ten being most critical.

Barracuda's Response Updates

UPDATE DECEMBER 12TH, 2021:

Barracuda Networks is aware of the recently disclosed security issue affecting the open-source Apache "Log4j" utility (CVE-2021-44228). We have increased our security monitoring protocols and are actively updating to the latest version of Log4j for all of our infrastructure and services.

We strongly encourage customers who manage environments containing Log4j to update to the latest version, available at https://logging.apache.org/log4j/2.x/download.html

We will continue to post updates to this page as status changes.

UPDATE DECEMBER 14TH, 2021:

Barracuda Networks continues our analysis of (CVE-2021-44228) the remote code execution vulnerability related to Apache Log4j. We have confirmed that none of our products are using vulnerable log4j versions associated with CVE-2021-44228 at this time. Additionally, external scans against our products and production hosts have not identified actual exposure within our environment.

Our product and security teams is currently conducting holistic reviews of our infrastructure, tools, and third-party services to identify and remediate any potential vulnerabilities.

UPDATE DECEMBER 20TH, 2021:

In light of the new Apache Log4j version 2.17.0, Barracuda Networks is continuing our security monitoring protocols and is actively updating to the latest version of Log4j for all of our infrastructure and services.

UPDATE JANUARY 3RD, 2022:

With the new Apache Log4j version release, we have confirmed that none of our products are using vulnerable log4j versions associated with CVE-2021-44228 at this time. We continue to run and monitor our external scans against our environment.

If you have any questions, please contact our Security Operations Center.