default monochrome1
default monochrome1

Log4Shell: A Log4j 2 Zero Day Exploit - The Core Hosting, LLC

December 16, 2021

post-thumnail

The Core Hosting is dedicated to the proactive security of your site and strives to stay on top of the latest threats to keep you informed.

Apache Log4j 2, a Java-based logging library developed by the Apache Foundation, is used by numerous enterprise-class applications and cloud services to provide advanced logging capabilities. Depending on if you currently utilize a Managed, or UnManaged service, you may be vulnerable to this newly found Zero day Exploit. For customers who enjoy the benefits of a Managed service, such as our Managed VPS, Managed Dedicated Hosting, or Shared hosting users, you have nothing to worry about, as our services where patched the moment it was available. For anyone Self-managing their services, now is the time to update if you have not already.

On November 24, 2021, Alibaba Cloud’s security team reported a Log4j 2 remote code execution vulnerability to Apache. The exploit takes advantage of some Log4j functions that perform recursive analysis. Which, with specially constructed malicious requests, attackers can trigger remote code execution.

The vulnerability impacts default configurations of several Apache frameworks, including:

  • Apache Druid
  • Apache Flink
  • Apache Solr
  • Apache Struts2

In Apache Log4j2 versions up to and including 2.14.1 (excluding security releases 2.3.1, 2.12.2 and 2.12.3), the JNDI features used in configurations, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Source

On December 10, 2021, this vulnerability was officially designated in the NIST national vulnerability database as CVE-2021-44228 (also known as the “Log4Shell” vulnerability). This then expanded to several other found, and later patched, vulnerabilities listed as CVE-2021-45046 and CVE-2021-45105.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data using a JNDI Lookup pattern, resulting in an information leak and remote code execution in some environments and local code execution in all environments; remote code execution has been demonstrated on macOS but no other tested environments.

CVE-2021-45046

Apache Log4j2 versions 2.0-alpha1 through 2.16.0, excluding 2.12.3, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

CVE-2021-45105

How the Vulnerability Impacts You

Depending on the type of hosting account you have with The Core Hosting , you may or may not need to take action:

Shared, Reseller, and Managed WordPress Accounts

If you have a shared, reseller, or Managed WordPress hosting account, you do not need to do anything. These servers automatically receive frequent updates that include patches for the Log4j 2 vulnerability.

cPanel published an update to mitigate CVE-2021-44228 the same day the vulnerability was announced. For more information, see cPanel’s blog entry.

Managed VPS and Dedicated Servers

If you have a Managed VPS or Managed Dedicated server, you most likely do not need to take any action – your server is updated automatically with patches for the Log4j 2 vulnerability. The only exception is if you have installed any software utilizing log4j outside of cPanel/WHM you should ensure those installations are updated. All software installed and managed by The Core Hosting has already been updated.

cPanel published an update to mitigate CVE-2021-44228(And the subsequent follow-up patches) the same day the vulnerability was announced. For more information, see cPanel’s blog entry.

Unmanaged VPS and Dedicated Servers

If you have an unmanaged VPS or unmanaged Dedicated server, make sure you keep it up-to-date with the latest security patches. If you need assistance with this, our amazing team of support staff is ready to help! We know that this kind of exploit can be dangerous and sometimes hard to correct. So let us assist.

If you use Log4j 2 it is very important to ensure you have updated to the most recent version. The first patch included another vulnerability which required a second patch.

Java 8 (or later) users should upgrade to release 2.17.0 or higher.

Java 7 users should upgrade to release 2.12.3 or higher.

Java 6 users should upgrade to release 2.3.1 or higher

More information can be found at Apache.

For information about how to install updates on unmanaged servers, please see this Knowledge Base article.

The Bottom Line

Heartbleed, Shellshock; The Log4j vulnerability is only the latest in a long line of security bugs. It isn’t the first, and it surely won’t be the last.

If you have a managed hosting account, you can rest assured that we take care of server configuration and updates for you. If you have an unmanaged server however, we highly recommend that your team upgrade as soon as possible, or reach out to our support for help regarding this Zero day exploit.

Leave a Reply

Your email address will not be published. Required fields are marked *