On December 9, 2021, Apache disclosed CVE-2021-44228, a remote code execution vulnerability – assigned with a severity of 10 (the highest possible risk score) – affecting Apache Log4j2, a Java-based logging framework widely used in commercial and open-source software products.

The vulnerability together with two other subsequent vulnerabilities affect versions 2.0 through 2.17.0; version 2.17.1 is not vulnerable. (CVE-2021-44228, the focus of this post was fixed by 2.15, however, CVE-2021-45046 required a fix made in 2.16 and CVE-2021-45105 a fix made in 2.17.)

Bitdefender is already seeing and monitoring several malicious actors running active exploitation campaigns. 

The CVE-2021-44228 vulnerability has been assigned the highest possible risk score (CVSS 10) due to its exploitation impact (ability to remotely execute code on targeted hosts). Likely, this vulnerability will linger in computing infrastructures for an extensive period of time due to the widespread use of the Log4j2 logging framework. It is important to note this vulnerability is easy to exploit and applications using the affected Log4j2 versions are subject to an extensive attack surface. Immediate action is advisable. 

Ways to Mitigate the Risk to Your Infrastructure 

Bitdefender strongly advises its customers to take immediate action and deploy all existing patches and mitigations recommended in industry vendor advisories. We also recommend the following course of action: 

• Conduct an extensive infrastructure and software application audit to identify all systems that implement the Apache Log4j2 logging framework. Then, either immediately upgrade these deployments to Log4j version 2.17.1 (Updated recommendation January 6th 2021 as 2.17 has now been reported by Apache as susceptible to a Denial of Service attack) and deploy the configuration mitigations recommended by Apache, more details in this article.
  
• Review your software supply chain and software bill of materials. Seek mitigation countermeasures or patches from either open-source software project maintainers or commercial software manufacturers for all affected systems. This is especially true for software you are running on internet-facing systems but should not be limited to such systems due to the lateral attack threat posed by the severity of this vulnerability. 
• Actively monitor the infrastructure for potential exploitation attempts and respond accordingly.
  

It is important to note this is a highly dynamic situation and many software vendors and open-source projects are still investigating the presence of Log4j2 in their software bill of materials with additional advisories expected over the coming days and weeks. Therefore, closely monitoring for vendor updates should be a critical part of your ongoing mitigation efforts.

Bitdefender Products and Services 

Bitdefender is actively investigating the potential risks posed by this vulnerability to customers using our products and services. The Bitdefender security engineering and security operations teams are continuously auditing and deploying any needed mitigation countermeasures to our cloud infrastructure and products to identify and eliminate potential risks. 

• GravityZone Cloud: required mitigations have been deployed to the GravityZone Cloud infrastructure. No action is required by Bitdefender customers. 
• GravityZone On-Premises: these deployments are unaffected by the vulnerability. No action is required by Bitdefender customers.   

Since this situation is dynamic and evolving, we will continue to actively monitor for new developments and will provide further status updates and guidance to our customers as needed.  

Apache Log4j 2.17.1 update - January 6, 2022

Bitdefender recommends downloading and upgrading to the Apache Log4j 2.17.1 patch at this time.

No additional risks posed by this vulnerability to customers using our products and services have been identified at this time. We continue to actively monitor and will deploy any needed mitigation countermeasures should they be required (last updated December 28, 2021).

Additional Resources 

• Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild

• NVD - CVE-2021-44228 (nist.gov) 
• Log4j – Apache Log4j Security Vulnerabilities 
• https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce  

• https://github.com/YfryTchsGD/Log4jAttackSurface  
• https://www.reddit.com/r/netsec/comments/rcwws9/rce_0day_exploit_found_in_log4j_a_popular_java/  
• Several comprehensive industry write-ups describe the vulnerability, attack surface and exploitation (example 1, example 2)