gitlab-de/log4j-resources

This repository is designed to be a collection of resources to learn about, detect and mitigate the impact of the Log4j vulnerability - more formally known as CVE-2021-44228 and CVE-2021-45046 (mirror from GitLab.com)

💡 Log4j CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Resources

This repository is designed to be a collection of resources to learn about, detect and mitigate the impact of the Log4j vulnerability - more formally known as CVE-2021-44228.

Below you can find a set of links to resources organized by topic area. If you want to add resources, you can fork this repository on GitLab.com and create a merge request. This repository on GitLab is mirrored to GitHub.

Table of content

• About the vulnerability
  • Software updates
  • CVE information
  • Security advisories
  • Other
• Detecting the vulnerability
  • Security Vendors
  • Guides
  • Community tools and articles
• Mitigating the vulnerability

❔ About the vulnerability

Apache Log4j, versions 2.0-2.14.1 have a vulnerability to remote code execution (RCE). It is remotely exploitable without authentication, i.e., attackers may exploit it over a network without the need for a username and password.

New vulnverabilities have been discovered and fixed, see Software updates below for the timeline.

📦 Software updates

Upgrade log4j to the latest release to fix the vulnerabilities.

• log4j 2.17.0 fixes CVE-2021-45105, where log4j does not always protect from infinite recursion, leading to DoS attacks.
• log4j 2.16.0 removes support for message lookups, and disables JNDI by default. Fixes CVE-2021-45046 with raised critical severity, RCE possibility.
• log4j 2.15.0 fixes the vulnerability in CVE-2021-44228 but left JNDI lookups enabled by default.

📄 CVE Information

• CVE-2021-45105 from NIST
• CVE-2021-45105 from MITRE
• CVE-2021-45046 from MITRE
• CVE-2021-45046 from Red Hat
• CVE-2021-44228 from MITRE
• CVE-2021-44228 from Oracle

💬 Security Advisories

• This GitHub gist contains an extensive list of the various security advisories from cloud, software, and SaaS companies about CVE-2021-44228.
• CISA Log4j (CVE-2021-44228) Vulnerability Guidance
• Updates and actions to address Log4j CVE 2021 44228 and CVE 2021 45046 in GitLab
• Jenkins

📖 Other

• Software related to or impacted by the Log4j vulnerability
• List of impact on manufacturers and components summary from the Internet community
• Awesome Log4Shell
• ‘The Internet Is on Fire’ by Wired

🔥 Detecting the vulnerability

🚒 Security Vendors

• Checkmarx
• Contrast Security
• Docker
• Elastic
• GitLab
• Synk
• WhiteSource
• Veracode

🏗️ Guides

• Container Scanning

📈 Community tools and articles

Community projects and discussions; they have not been tested. Be advised to evaluate and asses their usability on your own.

• GitLab search tools forum topic
• Mitigate Log4j2 / Log4Shell in Elasticsearch by Philipp Krenn

🛡️ Mitigating the vulnerability

The best way to mitigate the vulnerability is to update any application using Log4j to the latest version (see Software Updates section above). However, there have been many other discussions of how to mitigate the vulnerability short of that.

• Disable message lookups. These are availabe in Log4j 2.10 - 2.14.1 and requires restarting the process.
  • Adding -Dlog4j2.formatMsgNoLookups=true to processes running Log4j 2.10 - 2.14.1.
  • Setting an environmental variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true
• For versions 2.0-beta9 to 2.10.0, you could remove the JndiLookup class by running the code below and restarting the process
  • zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
• Without restarting the process, you could apply this hot patch which injects a Java agent into running processes to patch the issue.