Last Updated: 2021-12-14 13:07:59 UTC
by Johannes Ullrich (Version: 1)
Friday (Dec. 10th), we moved our Infocon to "Yellow" for the first time in about two years. We saw an immediate need to get the word out as the log4shell vulnerability ( CVE-2021-44228) was actively exploited and affected various widely used products. Patches and workarounds were not readily available at the time. Our Infocon indicates "change," not "steady-state." By now, everybody in infosec knows about log4shell. This morning I noticed that even cnn.com had log4j/log4shell mentioned at the top of the page. Once CNN covers an infosec topic like this: It should be old news for anybody "in the field."
We are now moving our "Infocon" back to "green."
Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon. Treat it as such. Mick pointed that out in our live stream yesterday, and it is probably the most important thing you need to plan for now: How to live with log4shell long term.
Please keep notes as you are dealing with this vulnerability and as you are finding new instances in your environment using log4j. I don't think this was the last we heard of log4j or JNDI. History taught us that vulnerabilities like this could focus attention on respective features and libraries. I suspect there will be more to come.
As of this writing, log4j 2.16 is the officially fixed version. log4j 2.15 was the initial fix, with 2.16 fixing some issues with pattern formatters that could still expose you to JNDI lookups.
Here are a few resources about log4j/log4shell:
RCE in Log4j / Log4Shell or how things can get bad quickly
Log4Shell Exploited to Implant Coin Miners
Log4Shell Live Stream
Log4Shell Followup: What we see and how to defend, and how to access our data
List of Vendor Bulletins
List of Vulnerable Software
Official log4j Website
log4j 2.16 Update which fixes some remaining JNDI related issues